Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system invalidates session identifiers upon user logout or other session termination.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs.
NIST 800-53 (r5) Discussion:
Invalidating session identifiers at logout curtails the ability of adversaries to capture and continue to employ previously valid session IDs.
38North Guidance:
Meets Minimum Requirement:
Configure the system to invalidate session identifiers (e.g., unique IDs, tokens, cookies, etc.) upon user logout or other session termination (e.g., inactivity timeout, session identifier expiration, etc.).
Configure the system to erase session identifiers from memory or storage devices (e.g., caches, databases, etc.) after session termination or logout.
Best Practice:
Ensure that session information (including identifiers) is invalidated and erased on the client and server (e.x., invalidating the session identifier cookie and session object on the client browser and server, respectively).
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration showing session identifiers are invalidated upon logout.
Demonstration showing that a previously valid session identifier cannot be used to hijack a session once invalidated.
Evidence that session identifiers are erased from memory or storage devices once invalidated.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse