Does nginx use unique session identifiers
Francis Daly
francis at daoine.org
Thu Jul 11 15:22:52 UTC 2019
On Tue, Jul 09, 2019 at 06:40:06PM +0000, Lemons, Terry wrote:
Hi there,
> One of the rules (https://www.stigviewer.com/stig/web_server_security_requirements_guide/2014-11-17/finding/V-41807) states, "The web server must generate unique session identifiers that cannot be reliably reproduced." I searched the nginx documentation, but wasn't able to confirm that unique session identifiers are used.
>
> Are they?
I think that that rule is intended as something like:
if session identifiers are generated, then they must not be guessable.
And I think that nginx does not generate session identifiers, unless
you ask it to.
If you do ask it to, then you possibly will use the "userid" directive
(http://nginx.org/r/userid, plus the rest of that page).
If you use "userid", then what it does is in the file
./src/http/modules/ngx_http_userid_filter_module.c
The main "hopefully unguessable" part there seems to be "the number of
microseconds past the second, at the instant that this code ran". But
you shouldn't trust my interpretation of it, when you can read it
yourself.
Cheers,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list