SC-23(1): Invalidate Session Identifiers At Logout

Control Family:

System And Communications Protection

Parent Control:

SC-23: Session Authenticity

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.PT-4

Threats Addressed:

Spoofing

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SC-23(1): Invalidate Session Identifiers at Logout

Control Statement

The information system invalidates session identifiers upon user logout or other session termination.

Supplemental Guidance

This control enhancement curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs.