Unique session identifiers

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension): sonarqube 7.6
  • what are you trying to achieve: stig the sonarqube application.
  • what have you tried so far to achieve this

I’m working on stigging the sonarqube application 7.6. I have one control which is shown as below. Can you help answer the question? I can’t find the information from any documentation.

Check Text: Review the application server configuration and documentation to determine if the application server uses a FIPS 140-2 approved random number generator to create unique session identifiers.

Have a user log onto the application server to determine if the session IDs generated are random and unique.

If the application server does not generate unique session identifiers and does not use a FIPS 140-2 random number generator to create the randomness of the session ID, this is a finding.

Hi, SonarQube authentication mechanism does not rely on Session, but on JWT. So authentication is stateless.

About user token, here is the algorithm. Basically a SecureRandom byte array encoded as hexadecimal and hashed with SHA-384.

FYI, from SonarQube 8.5 you’ll find new releases in the Iron Bank.