REQ.025 Manage concurrent sessions
The concurrent sessions of a system must be informed or controlled.
A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This may pose a risk for the service, the information and the system users, by allowing malicious users to interact simultaneously with the system using a valid user, leading to undetected identity thefts, unauthorized actions in name of the user (impersonation) and a loss of traceability of the impersonated user’s actions  .
Restrict or remove concurrent sessions: Configure in the system the option to restrain the simultaneous connections using the same access credentials, either from an external authentication system or from the same system.
An attacker logs in simultaneously using the account of a valid user.
An attacker performs actions without traceability nor authorization.
Layer: Application Layer.
Asset: Session Management.
Control Type: Procedure.