031 – Discard user session data

Summary

When a session is terminated, either manually or automatically, the system must discard all related data and the session tokens must lose their validity.

Description

Session tokens have associated permissions that allow any actor who possesses them to perform actions in a system. If session tokens are not removed from the client-side storage nor from the server, it increases the chances that they will be compromised. Furthermore, if they are not invalidated once a session is closed, the time during which a compromised session can be used maliciously is increased.

Supported In

Advanced: True

References

• NIST80063-7_1. Session bindings
• OWASP10-A7. Identification and authentication failures
• OWASPM10-M6. Insecure authorization
• CMMC-AC_L2-3_1_11. Session termination
• CMMC-SC_L2-3_13_9. Connections termination
• CWE-613. Insufficient session expiration
• HITRUST-01_t. Session time-out
• IEC62443-SI-3_8. Session integrity
• WASSEC-3_1. Session management capabilities
• OWASPRISKS-P8. Missing or insufficient session expiration
• MVSP-3_3. Application implementation controls - Vulnerability prevention
• OWASPSCP-4. Session management
• NIST800171-5_6. Disable identifiers after a defined period of inactivity
• SWIFTCSC-5_2. Token management
• ASVS-3_4_5. Cookie-based session management
• ASVS-4_2_2. Operation level access control
• CASA-4_2_2. Operation Level Access Control

Weaknesses

• 337 – Insecure session management - CSRF Fixation
• 076 – Insecure session management

Last updated

2023/09/18