SC-23(1): Invalidate Session Identifiers at Logout

CSF v1.1 References:

Threats Addressed:


(Not part of any baseline)

Previous Version:

Control Statement

Invalidate session identifiers upon user logout or other session termination.

Supplemental Guidance

Invalidating session identifiers at logout curtails the ability of adversaries to capture and continue to employ previously valid session IDs.