All files from this thread

File Name	File Size		Posted by	Date
image001.png	2.1 KB	open | download	tlemons	07/09/2019	Read message

On Tue, Jul 09, 2019 at 06:40:06PM +0000, Lemons, Terry wrote:

Hi there,

> One of the rules (https://www.stigviewer.com/stig/web_server_security_requirements_guide/2014-11-17/finding/V-41807) states, "The web server must generate unique session identifiers that cannot be reliably reproduced." I searched the nginx documentation, but wasn't able to confirm that unique session identifiers are used.
>
> Are they?

I think that that rule is intended as something like:

if session identifiers are generated, then they must not be guessable.

And I think that nginx does not generate session identifiers, unless
you ask it to.

If you do ask it to, then you possibly will use the "userid" directive
(http://nginx.org/r/userid, plus the rest of that page).

If you use "userid", then what it does is in the file
../src/http/modules/ngx_http_userid_filter_module.c

The main "hopefully unguessable" part there seems to be "the number of
microseconds past the second, at the instant that this code ran". But
you shouldn't trust my interpretation of it, when you can read it
yourself.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx