Discard user session data
Summary​
When a session is terminated, either manually or automatically, the system must discard all related data and the session tokens must lose their validity.
Description​
Session tokens have associated permissions that allow any actor who possesses them to perform actions in a system. If session tokens are not removed from the client-side storage nor from the server, it increases the chances that they will be compromised. Furthermore, if they are not invalidated once a session is closed, the time during which a compromised session can be used maliciously is increased.
Supported In​
This requirement is verified in following services:
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References​
- NIST 800-63B-7_1. Session bindings
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP-M TOP 10-M6. Insecure authorization
- CMMC-AC_L2-3_1_11. Session termination
- CMMC-SC_L2-3_13_9. Connections termination
- CWEâ„¢-613. Insufficient session expiration
- HITRUST CSF-01_t. Session time-out
- ISA/IEC 62443-SI-3_8. Session integrity
- WASSEC-3_1. Session management capabilities
- OWASP Top 10 Privacy Risks-P8. Missing or insufficient session expiration
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASP SCP-4. Session management
- NIST 800-171-5_6. Disable identifiers after a defined period of inactivity
- SWIFT CSCF-5_2. Token management
- OWASP ASVS-3_4_5. Cookie-based session management
- OWASP ASVS-4_2_2. Operation level access control
- OWASP MASVS-V6_10. Platform interaction requirements
- CASA-4_2_2. Operation Level Access Control
Vulnerabilities​
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.