Young hacker smiling

We hack your software

zero false positives

Expert intelligence + specialized technology

REQ.031 Discard user session data

This document contains the details of the security requirements related to the definition and management of sessions and session variables in the organization. This requirement establishes the importance of defining controls to manage object sessions securely to avoid common attacks.

Requirement

When closing a session (automatic or manual), all data related to user session must be discarded.

References

  1. OWASP-ASVS v3.1-2.12 Verify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.

  2. OWASP-ASVS v3.1-3.2. Verify that sessions are invalidated when the user logs out.

  3. OWASP-ASVS v3.1-9.14 Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.

  4. NIST 800-53 AC-12 Session termination: The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.


Service status - Terms of Use