REQ.031 Discard user session data
When closing a session (automatic or manual), all data related to user session must be discarded.
OWASP-ASVS v3.1-2.12 Verify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.
OWASP-ASVS v3.1-3.2. Verify that sessions are invalidated when the user logs out.