025 – Manage concurrent sessions

Summary

The concurrent sessions of a system must be informed or controlled.

Description

A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This can pose a risk for the service, the information and the system users, by allowing malicious users to interact simultaneously with the system using a valid user, thus leading to undetected identity thefts, unauthorized actions in name of the user (impersonation) and a loss of traceability of the impersonated users actions.

Supported In

Advanced: True

References

• CAPEC-227. Sustained client engagement
• NIST80063-7_1. Session bindings
• OWASP10-A7. Identification and authentication failures
• NYDFS-500_10. Cybersecurity personnel and intelligence
• MITRE-M1018. User account management
• MITRE-M1026. Privileged account management
• PADSS-10_2_3. Remote access to customer's payment applications must be implemented securely
• PDPO-6_31. Matching procedure request
• CMMC-SC_L2-3_13_7. Split tunneling
• FEDRAMP-AC-10. Concurrent session control
• FEDRAMP-IA-5_8. Authenticator management - Multiple information system accounts
• IEC62443-UC-2_7. Concurrent session control
• WASSEC-3_1. Session management capabilities
• WASSEC-4_1_5. Supporting concurrent sessions
• OWASPSCP-3. Authentication and password management
• OWASPSCP-4. Session management
• NIST-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization

Weaknesses

• 301 – Concurrent sessions control bypass
• 062 – Concurrent sessions

Last updated

2024/03/05