141 – Force re-authentication

Summary

The system must force users to re-authenticate or invalidate their session if the state of their account changes (e.g., password change/recovery, lockouts, user deletion, etc.).

Description

When important changes occur, such as a password change, account recovery, lockout, or user deletion, there is a potential risk of unauthorized access if an existing session remains active. Forcing re-authentication ensures that only the legitimate account owner can continue with granted access to the account.

Supported In

Advanced: True

References

• OWASP10-A7. Identification and authentication failures
• MITRE-M1036. Account use policies
• PADSS-3_1_11. Require the user to re-authenticate to re-activate the session (inactive)
• CMMC-AC_L2-3_1_11. Session termination
• WASC-W_49. Insufficient password recovery
• MVSP-3_3. Application implementation controls - Vulnerability prevention
• OWASPSCP-4. Session management
• OWASPSCP-5. Access control
• ASVS-2_1_6. Password security
• ASVS-3_3_2. Session termination
• PCI-8_2_8. User identification for users and administrators are strictly managed
• ASVS-2_8_6. One time verifier
• ASVS-3_3_3. Session termination
• ASVS-4_2_2. Operation level access control
• CASA-2_8_6. One Time Verifier
• CASA-3_3_3. Session Termination
• CASA-4_2_2. Operation Level Access Control

Weaknesses

• 295 – Insecure session management - Change Password
• 337 – Insecure session management - CSRF Fixation
• 076 – Insecure session management

Last updated

2024/01/18