REQ.031 Discard user session data
When closing a session (automatic or manual), all data related to user session must be discarded.
OWASP-ASVS v3.1-2.12 Verify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.
OWASP-ASVS v3.1-3.2. Verify that sessions are invalidated when the user logs out.
OWASP-ASVS v3.1-9.14 Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.
NIST 800-53 AC-12 Session termination: The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.
BSSIM9 SM2.6: Require security sign-off.