On Tue, Jul 09, 2019 at 06:40:06PM +0000, Lemons, Terry wrote: Hi there,
> One of the rules > (https://www.stigviewer.com/stig/web_server_security_requirements_guide/2014-11-17/finding/V-41807) > states, "The web server must generate unique session identifiers that cannot > be reliably reproduced." I searched the nginx documentation, but wasn't able > to confirm that unique session identifiers are used. > > Are they? I think that that rule is intended as something like: if session identifiers are generated, then they must not be guessable. And I think that nginx does not generate session identifiers, unless you ask it to. If you do ask it to, then you possibly will use the "userid" directive (http://nginx.org/r/userid, plus the rest of that page). If you use "userid", then what it does is in the file ./src/http/modules/ngx_http_userid_filter_module.c The main "hopefully unguessable" part there seems to be "the number of microseconds past the second, at the instant that this code ran". But you shouldn't trust my interpretation of it, when you can read it yourself. Cheers, f -- Francis Daly fran...@daoine.org _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx