The system must force users to re-authenticate or invalidate their session if the state of their account changes (e.g., password change/recovery, lockouts, user deletion, etc.).
CWE-613: Insufficient Session Expiration. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens.
OWASP-ASVS v4.0.1 V3.3 Session Logout and Timeout Requirements.(3.3.3) Verify that the application terminates all other active sessions after a successful password change.
OWASP-ASVS v4.0.1 V3.7 Defenses Against Session Management Exploits.(3.7.1) Verify the application ensures a valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.