Force re-authentication
Summary
The system must force users to re-authenticate or invalidate their session if the state of their account changes (e.g., password change/recovery, lockouts, user deletion, etc.).
Description
When important changes occur, such as a password change, account recovery, lockout, or user deletion, there is a potential risk of unauthorized access if an existing session remains active. Forcing re-authentication ensures that only the legitimate account owner can continue with granted access to the account.
References
- OWASP10-A7. Identification and authentication failures
- MITRE-M1036. Account use policies
- PADSS-3_1_11. Require the user to re-authenticate to re-activate the session (inactive)
- CMMC-AC_L2-3_1_11. Session termination
- WASC-W_49. Insufficient password recovery
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASPSCP-4. Session management
- OWASPSCP-5. Access control
- ASVS-2_1_6. Password security
- ASVS-3_3_2. Session termination
- PCI-8_2_8. User identification for users and administrators are strictly managed
- ASVS-2_8_6. One time verifier
- ASVS-3_3_3. Session termination
- ASVS-4_2_2. Operation level access control
- CASA-2_8_6. One Time Verifier
- CASA-3_3_3. Session Termination
- CASA-4_2_2. Operation Level Access Control
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan