Manage concurrent sessions
Summary
The concurrent sessions of a system must be informed or controlled.
Description
A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This can pose a risk for the service, the information and the system users, by allowing malicious users to interact simultaneously with the system using a valid user, thus leading to undetected identity thefts, unauthorized actions in name of the user (impersonation) and a loss of traceability of the impersonated users actions.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References
- CAPEC™-227. Sustained client engagement
- NIST 800-63B-7_1. Session bindings
- OWASP TOP 10-A7. Identification and authentication failures
- NYDFS-500_10. Cybersecurity personnel and intelligence
- MITRE ATT&CK®-M1018. User account management
- MITRE ATT&CK®-M1026. Privileged account management
- PA-DSS-10_2_3. Remote access to customer's payment applications must be implemented securely
- PDPO-6_31. Matching procedure request
- CMMC-SC_L2-3_13_7. Split tunneling
- FedRAMP-AC-10. Concurrent session control
- FedRAMP-IA-5_8. Authenticator management - Multiple information system accounts
- ISA/IEC 62443-UC-2_7. Concurrent session control
- WASSEC-3_1. Session management capabilities
- WASSEC-4_1_5. Supporting concurrent sessions
- OWASP SCP-3. Authentication and password management
- OWASP SCP-4. Session management
- NIST CSF-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization
Vulnerabilities
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.