Manage concurrent sessions
Summary
The concurrent sessions of a system must be informed or controlled.
Description
A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This can pose a risk for the service, the information and the system users, by allowing malicious users to interact simultaneously with the system using a valid user, thus leading to undetected identity thefts, unauthorized actions in name of the user (impersonation) and a loss of traceability of the impersonated users actions.
References
- CAPEC-227. Sustained client engagement
- NIST80063-7_1. Session bindings
- OWASP10-A7. Identification and authentication failures
- NYDFS-500_10. Cybersecurity personnel and intelligence
- MITRE-M1018. User account management
- MITRE-M1026. Privileged account management
- PADSS-10_2_3. Remote access to customer's payment applications must be implemented securely
- PDPO-6_31. Matching procedure request
- CMMC-SC_L2-3_13_7. Split tunneling
- FEDRAMP-AC-10. Concurrent session control
- FEDRAMP-IA-5_8. Authenticator management - Multiple information system accounts
- IEC62443-UC-2_7. Concurrent session control
- WASSEC-3_1. Session management capabilities
- WASSEC-4_1_5. Supporting concurrent sessions
- OWASPSCP-3. Authentication and password management
- OWASPSCP-4. Session management
- NIST-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan