3.3.1 Logout and expiration invalidate the session token¶
Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. (C6)
| Level 1 | X |
| Level 2 | X |
| Level 3 | X |
| CWE | NIST |
|---|---|
| 613 | 7.1 |
General¶
If a session can still be used after logging out then the lifetime of the session is increased and that gives third parties that may have intercepted the session token more (or perhaps infinite, if no absolute session expiry happens) time to impersonate a user. One quick way to test this is to log in, get the session token from the cookie, log out, then manually add the session cookie with the session token and see if you are still logged in.
PHP¶
Look for session_destroy in the logout functionality.
Symfony¶
This is a setting in security.yml:
invalidate_session: true
used by the default session controls.
Drupal¶
Drupal does this by default for /user/logout, but be wary of custom frontend logins!