v3 Session management verification requirementsΒΆ
- 3.1 Uses default session management
- 3.2 Sessions are invalidated on user log out
- 3.3 Session times out after inactivity
- 3.4 Session has absolute timeout
- 3.5 Shows logout link
- 3.6 Does not disclose session id
- 3.7 Session id is changed on login
- 3.10 Session ids may only come from framework
- 3.11 Session tokens are sufficiently long and random
- 3.12 Session cookies have appropriately restricted paths
- 3.16 Does not permit duplicate concurrent user sessions from different machines
- 3.17 User can see and terminate all his sessions
- 3.18 User is prompted for session termination on password change