NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-23(3)Unique System-generated Session Identifiers

Generate a unique session identifier for each session with {{ insert: param, sc-23.03_odp }} and recognize only session identifiers that are system-generated.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Generating unique session identifiers curtails the ability of adversaries to reuse previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers protects against brute-force attacks to determine future session identifiers.

Practitioner Notes

Session identifiers must be system-generated, not predictable or user-chosen. Predictable session IDs let attackers guess valid sessions.

Example 1: Configure your web framework to use its built-in cryptographically random session ID generator. In ASP.NET, the framework generates 120-bit random session IDs by default. Never create custom session ID schemes.

Example 2: In IIS, configure the session state to use cookie-based session tracking with the default random ID generator. Set the cookieless attribute to "UseCookies" to prevent session IDs from appearing in URLs where they could be logged or shared.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability