Force re-authentication
Summary​
The system must force users to re-authenticate or invalidate their session if the state of their account changes (e.g., password change/recovery, lockouts, user deletion, etc.).
Description​
empty
Supported In​
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References​
- OWASP TOP 10-A7. Identification and authentication failures
- MITRE ATT&CK®-M1036. Account use policies
- PA-DSS-3_1_11. Require the user to re-authenticate to re-activate the session (inactive)
- CMMC-AC_L2-3_1_11. Session termination
- WASC-W_49. Insufficient password recovery
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASP SCP-4. Session management
- OWASP SCP-5. Access control
- OWASP ASVS-2_1_6. Password security
- OWASP ASVS-3_3_2. Session termination
- PCI DSS-8_2_8. User identification for users and administrators are strictly managed
- OWASP ASVS-2_8_6. One time verifier
- OWASP ASVS-3_3_3. Session termination
- OWASP ASVS-4_2_2. Operation level access control
- CASA-2_8_6. One Time Verifier
- CASA-3_3_3. Session Termination
- CASA-4_2_2. Operation Level Access Control
Vulnerabilities​
- 076. Insecure session management
- 295. Insecure session management - Change Password
- 337. Insecure session management - CSRF Fixation
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.