Merge pull request #430 from bugcrowd/concurrent-sessions-on-logout

Updated rec for Failure to Invalidate Concurrent Sessions on Logout

submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/recommendations.md

@@ -1,6 +1,10 @@
 # Recommendation(s)
 
-The application should monitor and alert the user to concurrent login events and provide the user a way to logout of other sessions than their current login.
+The application should invalidate all current user sessions, both server-side and client-side, when a user logs out.
 
-For further information, please see:
-<https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons>
+As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should also be considered for all user sessions. This allows an attacker less time to use a valid session ID. Session timeout values should be set based upon business needs. wThe length of the session should take into consideration the criticality of the application and the data contained within.
+
+For further information, please see Open Web Application Security Project (OWASP):
+
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons>
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>