From b807869db5bda1072e47c32ab234ecb01f47abfa Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Tue, 16 Apr 2024 10:33:49 +0300 Subject: [PATCH] Add requirement against autologin without user interaction (#1929) --- 5.0/en/0x12-V3-Session-management.md | 1 + 1 file changed, 1 insertion(+) diff --git a/5.0/en/0x12-V3-Session-management.md b/5.0/en/0x12-V3-Session-management.md index 43d05d33bc..65690fcac1 100644 --- a/5.0/en/0x12-V3-Session-management.md +++ b/5.0/en/0x12-V3-Session-management.md @@ -27,6 +27,7 @@ As previously noted, these requirements have been adapted to be a compliant subs | **3.2.2** | [MODIFIED] Verify that opaque session tokens possess at least 128 bits of entropy. | ✓ | ✓ | ✓ | 331 | 7.1 | | **3.2.3** | [DELETED, MERGED TO 8.2.2] | | | | | | | **3.2.4** | [MODIFIED] Verify that opaque session tokens are generated using a secure random function. | | ✓ | ✓ | 330 | 7.1 | +| **3.2.5** | [ADDED] Verify that creating a session for the application requires the user's consent and that the application is protected against a CSRF-style attack where a new application session for the user is created via SSO without user interaction. | | ✓ | ✓ | | | TLS or another secure transport channel is mandatory for session management. This is covered in the Communications Security chapter.