From 3f152bddd2c068503da8f59206828d1597164cfc Mon Sep 17 00:00:00 2001
From: Ryan Rudder <96507400+RRudder@users.noreply.github.com>
Date: Tue, 2 May 2023 10:41:44 +1000
Subject: [PATCH 1/2] update rec for Failure to Invalidate Session on Logout
 Server-Side Only

---
 .../on_logout_server_side_only/recommendations.md           | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/recommendations.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/recommendations.md
index 564cdf02..3eab3ed8 100644
--- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/recommendations.md
+++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/recommendations.md
@@ -1,6 +1,10 @@
 # Recommendation(s)
 
-At a minimum, the current user sessions should be invalidated when the user logs out. As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should be considered for all user sessions. This allows an attacker less time to use a valid session ID. However, session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within.
+The application should invalidate all current user sessions server-side and client-side when the user logs out.
+
+As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should also be considered for all user sessions. This allows an attacker less time to use a valid session ID.
+
+Session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within.
 
 For further information, please see Open Web Application Security Project (OWASP):
 

From 3142063907c2caa23e6ad32c7b2c97a9618ae730 Mon Sep 17 00:00:00 2001
From: Ryan Rudder <96507400+RRudder@users.noreply.github.com>
Date: Fri, 5 May 2023 11:54:01 +1000
Subject: [PATCH 2/2] Update recommendations.md

---
 .../on_logout_server_side_only/recommendations.md           | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/recommendations.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/recommendations.md
index 3eab3ed8..836808fa 100644
--- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/recommendations.md
+++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/recommendations.md
@@ -1,10 +1,8 @@
 # Recommendation(s)
 
-The application should invalidate all current user sessions server-side and client-side when the user logs out.
+The application should invalidate all current user sessions, both server-side and client-side, when the user logs out.
 
-As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should also be considered for all user sessions. This allows an attacker less time to use a valid session ID.
-
-Session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within.
+As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should also be considered for all user sessions. This allows an attacker less time to use a valid session ID. Session timeout values should be set based upon business needs. wThe length of the session should take into consideration the criticality of the application and the data contained within.
 
 For further information, please see Open Web Application Security Project (OWASP):