Skip to main content

Discard user session data


When a session is terminated, either manually or automatically, the system must discard all related data and the session tokens must lose their validity.


Session tokens have associated permissions that allow any actor who possesses them to perform actions in a system. If session tokens are not removed from the client-side storage nor from the server, it increases the chances that they will be compromised. Furthermore, if they are not invalidated once a session is closed, the time during which a compromised session can be used maliciously is increased.

Supported In​

This requirement is verified in following services




free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.