Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

REQ.031 Discard user session data

This document contains the details of the security requirements related to the definition and management of sessions and session variables in the organization. This requirement establishes the importance of defining controls to manage object sessions securely to avoid common attacks.


When closing a session (automatic or manual), all data related to user session must be discarded.


  1. OWASP-ASVS v3.1-2.12 Verify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.

  2. OWASP-ASVS v3.1-3.2. Verify that sessions are invalidated when the user logs out.

  3. OWASP-ASVS v3.1-9.14 Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.

  4. NIST 800-53 AC-12 Session termination: The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

  5. BSSIM9 SM2.6: Require security sign-off.

Service status - Terms of Use