SESSION MANAGEMENT (SM6)
Gary can take over a user's session because there is a long or no inactivity timeout, or a long or no overall session time limit, or the same session can be used from more than one device/location
Gary can take over a user's session because there is a long or no inactivity timeout, or a long or no overall session time limit, or the same session can be used from more than one device/location
OWASP SCP
64,65
OWASP ASVS
3.3.2,3.3.3,3.3.4
OWASP AppSensor
SE5,SE6
CAPEC
-
SAFECODE
28
There should be a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements. This could be role-dependent. Additionally disallow persistent logins and enforce periodic session terminations (e.g. after 8 or 12 hours), even when the session is active, especially for applications supporting rich network connections or connecting to critical systems. Termination times should support business requirements and the user should receive sufficient notification to mitigate negative impacts.
NB: This card primarily relates to session timeout, but also includes using the same session identifier in concurrent sessions. See SM 3 for concurrent sessions created by authenticating more than once in different browsers/devices.
Mappings
OWASP ASVS (4.0): 3.3.2 ,3.3.3 ,3.3.4
Capec: 21
OWASP SCP: 64,65
OWASP Appsensor: SE5,SE6
Safecode: 28
ASVS (4.0) Cheatsheetseries Index
ASVS V3.3 - Session Logout and Timeout Requirements
No suitable mappings were found.
