Skip to main content

Manage concurrent sessions


The concurrent sessions of a system must be informed or controlled.


A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This can pose a risk for the service, the information and the system users, by allowing malicious users to interact simultaneously with the system using a valid user, thus leading to undetected identity thefts, unauthorized actions in name of the user (impersonation) and a loss of traceability of the impersonated user's actions <<r1, ^[1]^>> <<r2, ^[2]^>>.


  1. Restrict or remove concurrent sessions: Configure in the system the option to restrain the simultaneous connections using the same access credentials, either from an external authentication system or from the same system.


  1. An attacker logs in simultaneously using the account of a valid user.

  2. An attacker performs actions without traceability nor authorization.


  1. Layer: Application layer
  2. Asset: Session management
  3. Scope: Integrity
  4. Phase: Operation
  5. Type of control: Procedure


  • CAPEC-227: Sustained Client Engagement: An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible.

  • CWE-384: Session Fixation: Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

  • NIST 800-63B 7.1 Session Bindings: Secrets used for session binding SHALL be generated by the session host during an interaction, typically immediately following authentication.

  • OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  • OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.3): Verify that secure notifications are sent to users after updates to authentication details such as credential resets, email or address changes, logging in from unknown or risky locations.

  • OWASP-ASVS v4.0.1 V3.2 Session Binding Requirements.(3.2.1): Verify the application generates a new session token on user authentication.

  • PCI DSS v3.0 - Requirement 6.5.10: Examine software development policies and procedures and interview responsible personnel to verify that broken authentication and session management are addressed via coding techniques.

  • PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.