Criteria | Session | Knowledge Base

Session
Set a maximum lifetime in sessions
Summary Application sessions should have a maximum lifetime, regardless of the user activity (absolute timeout). Description Implementing an absolute timeout for application sessions is a security control applied to mitigate the risks associated with ...
Use stateless session tokens
Summary The system should use securely generated, stateless session tokens that are validated using digital signatures instead of static API secrets. Description This approach is aligned with security best practices by emphasizing the use of ...
Avoid session ID leakages
Summary The system must not expose session IDs in URLs and messages presented to the user. Description Session IDs are sensitive information that may allow an attacker to steal, modify and/or destroy information once they obtain one. Information sent ...
Discard user session data
Summary When a session is terminated, either manually or automatically, the system must discard all related data and the session tokens must lose their validity. Description Session tokens have associated permissions that allow any actor who ...
Avoid object reutilization
Summary The system must guarantee that objects (session ID, cookies, etc.) used in the authentication process cannot be reused (replay resistance). Description In a system, it is necessary to prevent transmitted information from being reused by an ...
Cookies with security attributes
Summary The session cookies of web applications must have security attributes (HttpOnly, Secure, SameSite) and prefixes (e.g., __Host-). Description When you have web applications that handle sessions, you can use different attributes to improve the ...
Allow users to log out
Summary The system must allow users to view and manually log out of any or all active sessions and devices. Description Session tokens have associated permissions that allow any actor who possesses them to perform actions in a system. If a user ...
Allow session lockout
Summary The system must provide users the option to manually lock their session from any resource protected by authentication. Description This control allows users to take preventive measures to secure their accounts or sensitive information, ...
Encrypt client-side session information
Summary The system must encrypt and verify client-side session information (ViewState). Description Using client-side encryption makes it less likely for the data session to be intercepted by hostile third parties. Supported In This requirement is ...
Manage concurrent sessions
Summary The concurrent sessions of a system must be informed or controlled. Description A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This can pose a risk for ...
Transfer information using session objects
Summary The system must use session objects to transfer information between pages when needed. Description Sessions are used to maintain stateful information between different requests from users. A session object typically contains data associated ...
Terminate inactive user sessions
Summary The system must terminate a session, if there is a period of inactivity on the user side of 5 minutes or more. Description A system can leave a session indefinitely active if it does not have an automatic termination mechanism based on ...

Criteria | Session | Knowledge Base

Session

Set a maximum lifetime in sessions

Use stateless session tokens

Avoid session ID leakages

Discard user session data

Avoid object reutilization

Cookies with security attributes

Allow users to log out

Allow session lockout

Encrypt client-side session information

Manage concurrent sessions

Transfer information using session objects

Terminate inactive user sessions