Skip to main content

Discard user session data

Requirement#

When a session is terminated, either manually or automatically, the system must discard all related data and the session tokens must lose their validity.

Description#

Session tokens have associated permissions that allow any actor who possesses them to perform actions in a system. If session tokens are not removed from the client-side storage nor from the server, it increases the chances that they will be compromised. Furthermore, if they are not invalidated once a session is closed, the time during which a compromised session can be used maliciously is increased.

References#