From f93557735f5f213c888c5992be258e56df050c8f Mon Sep 17 00:00:00 2001
From: Ryan Rudder <96507400+RRudder@users.noreply.github.com>
Date: Tue, 2 May 2023 15:57:47 +1000
Subject: [PATCH 1/3] updated rec for failure to invalidate session on email
 change

---
 .../on_email_change/recommendations.md                 | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
index 10b74604..a64806ea 100644
--- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
+++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
@@ -1,6 +1,10 @@
 # Recommendation(s)
 
-The application should monitor and alert the user to concurrent login events and provide the user a way to logout of other sessions than their current login.
+The application should invalidate all current user sessions server-side and client-side when a user changes their email.
 
-For further information, please see:
-<https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons>
+It is also best practice to shorten session timeout values based upon business needs which take into consideration the criticality of the application and the data contained within.
+
+For further information, please see Open Web Application Security Project (OWASP):
+
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons>
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>

From 1b037033eded79ed455e3f96b9807be4dd3dc7cc Mon Sep 17 00:00:00 2001
From: Ryan Rudder <96507400+RRudder@users.noreply.github.com>
Date: Fri, 5 May 2023 11:51:29 +1000
Subject: [PATCH 2/3] Update recommendations.md

---
 .../on_email_change/recommendations.md                        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
index a64806ea..6d220784 100644
--- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
+++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
@@ -1,8 +1,8 @@
 # Recommendation(s)
 
-The application should invalidate all current user sessions server-side and client-side when a user changes their email.
+The application should invalidate all current user sessions, both server-side and client-side, when a user changes their email.
 
-It is also best practice to shorten session timeout values based upon business needs which take into consideration the criticality of the application and the data contained within.
+It is also best practice to shorten session timeout values based upon business needs. The length of the session should take into consideration the criticality of the application and the data contained within.
 
 For further information, please see Open Web Application Security Project (OWASP):
 

From 9c385ca6b5f6fd648c9a481f05133910d55ef9fc Mon Sep 17 00:00:00 2001
From: RRudder <96507400+RRudder@users.noreply.github.com>
Date: Wed, 15 May 2024 17:11:15 +1000
Subject: [PATCH 3/3] small update to recommendation

Addressed feedback from Norsey
---
 .../on_email_change/recommendations.md                          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
index 6d220784..336be350 100644
--- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
+++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
@@ -1,6 +1,6 @@
 # Recommendation(s)
 
-The application should invalidate all current user sessions, both server-side and client-side, when a user changes their email.
+The application should invalidate all current user sessions, both server-side and client-side, when a user changes their email address.
 
 It is also best practice to shorten session timeout values based upon business needs. The length of the session should take into consideration the criticality of the application and the data contained within.