Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

REQ.025 Manage concurrent sessions

This documents contains the details of the security requirements related to web application session management and session variables. This requirement establishes the importance of informing and controlling concurrent sessions, in order to detect user impersonations and identity thefts.


The concurrent sessions of a system must be informed or controlled.


A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This may pose a risk for the service, the information and the system users, by allowing malicious users to interact simultaneously with the system using a valid user, leading to undetected identity thefts, unauthorized actions in name of the user (impersonation) and a loss of traceability of the impersonated user’s actions [1] [2].


  1. Restrict or remove concurrent sessions: Configure in the system the option to restrain the simultaneous connections using the same access credentials, either from an external authentication system or from the same system.


  1. An attacker logs in simultaneously using the account of a valid user.

  2. An attacker performs actions without traceability nor authorization.


  1. Layer: Application Layer.

  2. Asset: Session Management.

  3. Scope: Integrity.

  4. Phase: Operation.

  5. Control Type: Procedure.

Service status - Terms of Use