The system must provide users the option to manually lock their session from any resource protected by authentication.
NIST 800-53 AC-2 (2): The information system automatically removes or disable the temporary and emergency accounts after a short period of time defined by the organization for each type of account.
NIST 800-53 AC-2 (13): The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.