Session Management

General

Ensure sessions are unique to each individual and cannot be guessed or shared.
Invalidate sessions when no longer required and time out during a period of inactivity.
Never reveal session tokens in the application (e.g. in URL parameters or error messages).
Ensure a valid session or require re-authentication for sensitive actions.

Session Binding

Session Logout and Timeout

Invalidate the session token upon logout and expiration, such that the back button or a downstream relying party cannot resume an authenticated session
If allowing users to remain logged in, re-authenticate periodically both when actively used or after an idle period.
Terminate a user's active sessions after a successful password change across the application, federated login, and any relying parties.
Allow users to view and log out of any or all currently active sessions and devices.

Tokens

Do not accept OAuth and refresh tokens as presence of the subscriber.
Allow users to terminate trust relationships with linked applications.
Use session tokens rather than static API secrets and keys.
Protect stateless session tokens with the following controls:
- Digital signatures
- Encryption

Re-Authentication from a Federation or Assertion

Relying parties (RP) must specify the maximum authentication time
Credential Service Providers (CSP) must re-auth a user if the session times out.
CSPs must inform RPs of the last authentication event.

Example security user stories

As a user, I want the application to use session state to ensure my use is unique and protected.
As a user, I want the application to follow security best practices for session use, generation, management, and destruction.
As a user, I want the session to timeout after a period of inactivity.
As a user, I want cookie-based sessions to have all the appropriate security settings set.
As a user, I want token-based sessions to use digital signatures, encryption, and other measures to ensure my session cannot be tampered with.

Provide feedback