The system must allow users to view and manually log out of any or all active sessions and devices.
Session tokens have associated permissions that allow any actor who possesses them to perform actions in a system. If a user leaves a session open and loses access to the device on which it resides, anyone with access to the device will be able to use that session. Therefore, the system should allow users to view and log out of any active session.
BSIMM9 SM2.6: Require security sign-off.
CWE-613: Insufficient Session Expiration. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
NIST 800-63B 7.1 Session Bindings Secrets used for session binding SHALL be erased or invalidated by the session subject when the subscriber logs out.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V3.3 Session Logout and Timeout Requirements.(3.3.4) Verify that users are able to view and log out of any or all currently active sessions and devices.
OWASP-ASVS v4.0.1 V3.5 Token-based Session Management.(3.5.1) Verify the application does not treat OAuth and refresh tokens — on their own — as the presence of the subscriber and allows users to terminate trust relationships with linked applications.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.