Back

Invalidate session identifiers upon session termination.


CONTROL ID
10649
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Configure session timeout and reauthentication settings according to organizational standards., CC ID: 12460

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The control system shall provide the capability to invalidate session IDs upon user logout or other session termination (including browser sessions). (7.10.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • the capability to invalidate session identifiers upon user logout or other session termination (including browser sessions); (7.10.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. (3.3.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • the capability to invalidate session identifiers upon user logout or other session termination (including browser sessions); (7.10.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Session hijacking and other man-in-the-middle attacks or injections of false information often take advantage of easy-to-guess session IDs (keys or other shared secrets) or use of session IDs that were not properly invalidated after session termination. Therefore the validity of a session authentica… (7.10.2 ¶ 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The information system invalidates session identifiers upon user logout or other session termination. (SC-23(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Erase cached information, to include authenticators (see Section 5.6.2.1) in applications, when session is terminated. (§ 5.13.3 ¶ 1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The information system invalidates session identifiers upon user logout or other session termination. (SC-23(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • SHALL be erased or invalidated by the session subject when the subscriber logs out. (7.1 ¶ 3 3., Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • SHOULD be erased on the subscriber endpoint when the user logs out or when the secret is deemed to have expired. (7.1 ¶ 3 4., Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • SHOULD be tagged to expire at, or soon after, the session's validity period. This requirement is intended to limit the accumulation of cookies, but SHALL NOT be depended upon to enforce session timeouts. (7.1.1 ¶ 2 4., Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Session secrets SHALL be non-persistent. That is, they SHALL NOT be retained across a restart of the associated application or a reboot of the host device. (7.2 ¶ 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The information system invalidates session identifiers upon user logout or other session termination. (SC-23(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system invalidates session identifiers upon user logout or other session termination. (SC-23(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Invalidate session identifiers upon user logout or other session termination. (SC-23(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Invalidate session identifiers upon user logout or other session termination. (SC-23(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)