Skip to content

Concurrent sessions #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sydseter merged 4 commits into from
Aug 5, 2025
Merged

Concurrent sessions #150

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e5cf632
changes in requirements to align on concurrent sessions
sydseter Aug 5, 2025
fa86c94
move all session management items under session management
sydseter Aug 5, 2025
4de7b12
Remove item concerning concurrent sessions
sydseter Aug 5, 2025
693d2ae
Reorder items
sydseter Aug 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 16 additions & 20 deletions docs/en/04-design/02-web-app-checklist/06-digital-identity.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ and use the list below as suggestions for a checklist that has been tailored for
15. Ensure that no credentials are stored in clear text or are easily retrievable in encoded or encrypted forms in the
browser's storage mechanisms

#### 3. Cryptographic based authentication
#### 3. Session Management

1. Use the server or framework's session management controls
2. Session identifier creation must always be done on a trusted system
Expand All @@ -70,30 +70,26 @@ and use the list below as suggestions for a checklist that has been tailored for
8. Disallow persistent logins and enforce periodic session terminations, even when the session is active
9. If a session was established before login, close that session and establish a new session after a successful login
10. Generate a new session identifier on any re-authentication
11. Do not allow concurrent logins with the same user ID
12. Do not expose session identifiers in URLs, error messages or logs
13. Implement appropriate access controls to protect server side session data
11. Do not expose session identifiers in URLs, error messages or logs
12. Implement appropriate access controls to protect server side session data
from unauthorized access from other users of the server
14. Generate a new session identifier and deactivate the old one periodically
15. Generate a new session identifier if the connection security changes from HTTP to HTTPS,
13. Generate a new session identifier and deactivate the old one periodically
14. Generate a new session identifier if the connection security changes from HTTP to HTTPS,
as can occur during authentication
16. Set the `secure` attribute for cookies transmitted over an [TLS][tls] connection
17. Set cookies with the `HttpOnly` attribute,
15. Set the `secure` attribute for cookies transmitted over an [TLS][tls] connection
16. Set cookies with the `HttpOnly` attribute,
unless you specifically require client-side scripts within your application to read or set a cookie value

#### 4. Session Management

1. Ensure that the session id is long, unique and random, i.e., is of high entropy
2. Generate a new session during authentication and re-authentication
3. All active sessions must be terminated when a user account is disabled or deleted
4. After a successful change or removal of any authentication factor give the option to terminate all other active sessions
5. Implement an idle timeout after a period of inactivity and an absolute maximum lifetime for each session, after
17. Ensure that the session id is long, unique and random, i.e., is of high entropy
18. Generate a new session during authentication and re-authentication
19. All active sessions must be terminated when a user account is disabled or deleted
20. After a successful change or removal of any authentication factor give the option to terminate all other active sessions
21. Implement an idle timeout after a period of inactivity and an absolute maximum lifetime for each session, after
which users must re-authenticate
6. Supplement standard session management for sensitive server-side operations, like account management, by requiring and
22. Supplement standard session management for sensitive server-side operations, like account management, by requiring and
validating anti-forgery tokens (CSRF tokens) for each request that may change application state or execute an action
7. If long authenticated sessions are allowed, periodically re-validate a user's authorization
8. The application must support termination of sessions when authorization ceases
9. Application administrators should be able to terminate active sessions and authentication codes and -tokens, and users
23. If long authenticated sessions are allowed, periodically re-validate a user's authorization
24. The application must support termination of sessions when authorization ceases
25. Application administrators should be able to terminate active sessions and authentication codes and -tokens, and users
should be able to terminate their active sessions

#### References
Expand Down