From e7697dfe286e863bdfb7fd988acf77ed7d7081df Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Thu, 18 Jan 2024 13:37:55 +0200 Subject: [PATCH] Address the scope question from this comment: https://github.com/OWASP/ASVS/issues/1800#issuecomment-1871816684 --- 5.0/en/0x12-V3-Session-management.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/5.0/en/0x12-V3-Session-management.md b/5.0/en/0x12-V3-Session-management.md index 9838331844..4a96127425 100644 --- a/5.0/en/0x12-V3-Session-management.md +++ b/5.0/en/0x12-V3-Session-management.md @@ -93,7 +93,7 @@ Attackers start a half-open attack by attempting to lock, reset, or recover a cr ## V3.8 Session Termination -Session termination may be handled either by the application itself or by the SSO provider if the SSO provider is handling session management instead of the application. +Session termination may be handled either by the application itself or by the SSO provider if the SSO provider is handling session management instead of the application. It may be necessary to decide whether the SSO provider is in scope when considering the requirements in this section as some may be controlled by the provider. Session termination should result in requiring re-authentication and be effective across the application, federated login (if present), and any relying parties. @@ -106,7 +106,7 @@ For stateful session mechanisms, this should just require invalidating the sessi | **3.8.3** | [MODIFIED, MOVED FROM 3.3.4] Verify that users are able to view and (having re-entered login credentials) terminate any or all currently active sessions. | | ✓ | ✓ | 613 | 7.1 | | **3.8.4** | [ADDED] Verify that all pages that require authentication have easy and visible access to logout functionality. | ✓ | ✓ | ✓ | | | | **3.8.5** | [ADDED] Verify that the application terminates all active sessions when a user account is disabled or deleted (such as an employee leaving the company). | ✓ | ✓ | ✓ | 613 | | -| **3.8.6** | [ADDED] Verify that application administrators are able to terminate any or all currently active sessions and devices for a user or for all users. | ✓ | ✓ | ✓ | 613 | 7.1 | +| **3.8.6** | [ADDED] Verify that application administrators are able to terminate active sessions for an individual user or for all users. | ✓ | ✓ | ✓ | 613 | 7.1 | ## References