Force re-authentication
Summary
The system must force users to re-authenticate or invalidate their session if the state of their account changes (e.g., password change/recovery, lockouts, user deletion, etc.).
Description
When important changes occur, such as a password change, account recovery, lockout, or user deletion, there is a potential risk of unauthorized access if an existing session remains active.
Forcing re-authentication ensures that only the legitimate account owner can continue with granted access to the account.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- OWASP TOP 10-A7. Identification and authentication failures
- MITRE ATT&CK®-M1036. Account use policies
- PA-DSS-3_1_11. Require the user to re-authenticate to re-activate the session (inactive)
- CMMC-AC_L2-3_1_11. Session termination
- WASC-W_49. Insufficient password recovery
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASP SCP-4. Session management
- OWASP SCP-5. Access control
- OWASP ASVS-2_1_6. Password security
- OWASP ASVS-3_3_2. Session termination
- PCI DSS-8_2_8. User identification for users and administrators are strictly managed
- OWASP ASVS-2_8_6. One time verifier
- OWASP ASVS-3_3_3. Session termination
- OWASP ASVS-4_2_2. Operation level access control
- CASA-2_8_6. One Time Verifier
- CASA-3_3_3. Session Termination
- CASA-4_2_2. Operation Level Access Control
Vulnerabilities
- 076.Insecure session management
- 295.Insecure session management - Change Password
- 337.Insecure session management - CSRF Fixation
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.