R141. Force re-authentication

Requirement

The system must force a user to re-authenticate or invalidate their session if the state of their account changes (password change/recovery, lockouts, user deletion, etc.).

References

  1. CWE-613: Insufficient Session Expiration According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

  2. OWASP-ASVS v4.0.1 V3.3 Session Logout and Timeout Requirements.(3.3.3) Verify that the application terminates all other active sessions after a successful password change, and that this is effective across the application, federated login (if present), and any relying parties.

  3. OWASP-ASVS v4.0.1 V3.7 Defenses Against Session Management Exploits.(3.7.1) Verify the application ensures a valid login session or requires re- authentication or secondary verification before allowing any sensitive transactions or account modifications.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy