From dc56d05934dc386c75b15b20b924415d2a0b9148 Mon Sep 17 00:00:00 2001 From: Ryan Rudder <96507400+RRudder@users.noreply.github.com> Date: Tue, 2 May 2023 10:39:25 +1000 Subject: [PATCH 1/2] Updated rec for Failure to Invalidate Session on Logout --- .../on_logout/recommendations.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md index 564cdf02..7e154953 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md @@ -1,6 +1,10 @@ # Recommendation(s) -At a minimum, the current user sessions should be invalidated when the user logs out. As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should be considered for all user sessions. This allows an attacker less time to use a valid session ID. However, session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within. +The application should invalidate all current user sessions server-side and client-side when the user logs out. + +As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should be considered for all user sessions. This allows an attacker less time to use a valid session ID. + +Session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within. For further information, please see Open Web Application Security Project (OWASP): From acbaad5e9ee7b7a7f21ce4e36faa13cf32d1580e Mon Sep 17 00:00:00 2001 From: Ryan Rudder <96507400+RRudder@users.noreply.github.com> Date: Fri, 5 May 2023 11:54:46 +1000 Subject: [PATCH 2/2] Update recommendations.md --- .../on_logout/recommendations.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md index 7e154953..236a1087 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md @@ -1,10 +1,8 @@ # Recommendation(s) -The application should invalidate all current user sessions server-side and client-side when the user logs out. +The application should invalidate all current user sessions, both server-side and client-side, when a user logs out. -As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should be considered for all user sessions. This allows an attacker less time to use a valid session ID. - -Session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within. +As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should also be considered for all user sessions. This allows an attacker less time to use a valid session ID. Session timeout values should be set based upon business needs. wThe length of the session should take into consideration the criticality of the application and the data contained within. For further information, please see Open Web Application Security Project (OWASP):