Young hacker smiling

We hack your software

zero false positives

Attacking Applications, APIs, Mobile Apps Servers, Networks, IoT Devices
ICS: Industrial Control System
SOC: Security Operations Center

REQ.031 Discard user session data

This document contains the details of the security requirements related to the definition and management of sessions and session variables in the organization. This requirement establishes the importance of defining controls to manage object sessions securely to avoid common attacks.


When closing a session (automatic or manual), all data related to user session must be discarded.


  1. OWASP-ASVS v3.1-2.12 Verify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.

  2. OWASP-ASVS v3.1-3.2. Verify that sessions are invalidated when the user logs out.

Service status - Terms of Use