Unique session identifiers

nbislicense · April 27, 2020, 2:45pm

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension): sonarqube 7.6
what are you trying to achieve: stig the sonarqube application.
what have you tried so far to achieve this

I’m working on stigging the sonarqube application 7.6. I have one control which is shown as below. Can you help answer the question? I can’t find the information from any documentation.

Check Text: Review the application server configuration and documentation to determine if the application server uses a FIPS 140-2 approved random number generator to create unique session identifiers.

Have a user log onto the application server to determine if the session IDs generated are random and unique.

If the application server does not generate unique session identifiers and does not use a FIPS 140-2 random number generator to create the randomness of the session ID, this is a finding.

pierreguillot · April 27, 2020, 3:10pm

Hi, SonarQube authentication mechanism does not rely on Session, but on JWT. So authentication is stateless.

About user token, here is the algorithm. Basically a SecureRandom byte array encoded as hexadecimal and hashed with SHA-384.

ganncamp · October 13, 2020, 3:46pm

FYI, from SonarQube 8.5 you’ll find new releases in the Iron Bank.

Ann

Topic		Replies	Views
Stig sonqrqube application server SonarQube Server / Community Build sonarqube	2	468	October 13, 2020
SSL mutual authentication SonarQube Server / Community Build sonarqube	5	841	October 13, 2020
Authentiction protocol SonarQube Server / Community Build	2	839	October 13, 2020
Cached authenticators SonarQube Server / Community Build sonarqube	3	466	October 13, 2020
DoD Application Security and Development STIG Questions SonarQube Server / Community Build security	5	2920	February 11, 2021

Unique session identifiers

Related topics