Does nginx use unique session identifiers

Aleksandar Lazic al-nginx at none.at
Wed Jul 10 11:16:02 UTC 2019


Hi.

Am 09.07.2019 um 20:40 schrieb Lemons, Terry:
> Hi
> 
> Our product uses nginx to front-end inbound web access. To enhance our product’s
> security posture, we have been examining the rules in the DISA Web Server
> Security Requirements Guide
> <https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Web_Server_V2R3_SRG.zip>.
> One of the rules
> (https://www.stigviewer.com/stig/web_server_security_requirements_guide/2014-11-17/finding/V-41807)
> states, “The web server must generate unique session identifiers that cannot be
> reliably reproduced.” I searched the nginx documentation, but wasn’t able to
> confirm that unique session identifiers are used.
> 
> Are they?

Myabe you can use the variable `request_id`.

https://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_id

In the following blog posts can you find a example how it can be used.

https://www.nginx.com/blog/application-tracing-nginx-plus/
=> Tracing Requests End‑to‑End

> Thanks
> 
> tl

Hth
Aleks

> *Terry Lemons*
> 
> * *
> 
> DellEMC_Logo_Hz_Blue_rgb_10percent
> 
> Data Protection Division
> 
>  
> 
> 176 South Street, MS 2/B-34
> Hopkinton MA 01748
> terry.lemons at dell.com <mailto:terry.lemons at dell.com>
> 
>  
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 



More information about the nginx mailing list