The local Administrator account is all that’s required.
GigaFlow – what password hashing is used for storing local user passwords?
We use PBKDF2 on the password after it has been salted with a unique salt per user.
Does it create session IDs when user’s login?
-Yes, a web session cookie is set when the user logs in
If so, how is the session ID created? STIG requires the ID NOT to have URL embedded
“JSESSIONIDAnuviewflow”+httpport+”systemstarttime”
The session ID has no URL in it and is generated using :
Worker name (e.g. node0), a randomly generated unique ID (e.g. 123x0dsf) and the .worker name (e.g. .node0).
Below is an example from a live server
Does it destroy the session ID value/cookie when session is ended?
Yes
Using developer tools, I see the HTTP Only flag is not set. Is there a way to change it?
Not currently and would require a change request
Please log in or sign up to comment.