When a session is terminated, either manually or automatically, the system must discard all related data and the session tokens must lose their validity.
Session tokens have associated permissions that allow any actor who possesses them to perform actions in a system. If session tokens are not removed from the client-side storage nor from the server, it increases the chances that they will be compromised. Furthermore, if they are not invalidated once a session is closed, the time during which a compromised session can be used maliciously is increased.
This requirement is verified in following services
- NIST 800-63B-7_1. Session bindings
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP-M TOP 10-M6. Insecure authorization
- CMMC-AC_L2-3_1_11. Session termination
- CMMC-SC_L2-3_13_9. Connections termination
- CWE™-613. Insufficient session expiration
- HITRUST CSF-01_t. Session time-out
- ISA/IEC 62443-SI-3_8. Session integrity
- WASSEC-3_1. Session management capabilities
- OWASP Top 10 Privacy Risks-P8. Missing or insufficient session expiration
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASP SCP-4. Session management
- NIST 800-171-5_6. Disable identifiers after a defined period of inactivity
- SWIFT CSCF-5_2. Token management
- OWASP ASVS-3_4_5. Cookie-based session management
- OWASP ASVS-4_2_2. Operation level access control
- OWASP MASVS-V6_10. Platform interaction requirements
- CASA-4_2_2. Operation Level Access Control
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.