User Session Management Requirements#
Maturity Level 1#
Lock Endpoint Device Sessions After Inactivity#
Product must provide capability to automatically lock endpoint device sessions after a standard period of inactivity.
This is a basic security control that should be used universally. Employees should also be trained to lock their computers whenever they leave them.
Applies to: Vendor provided hardware
Reference: CIS Security Best Practices for Non-Voting Election Technology 5.1.11
Ensure That Session Identifiers Are Sufficiently Random#
Session tokens must be generated by secure random functions and must be at least 128 bits or provide 64 bits of entropy.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.5.5
Invalidate the Session after Logout#
When the user logs out of the application, the session on the server must be destroyed. This ensures that the session cannot be accidentally revived.
Applies to: Web applications
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.5.6
Implement an Idle Session Timeout#
When a user is not active for a period of time, the application should automatically log the user out.
Be aware that Ajax applications may make recurring calls to the application, effectively resetting the timeout counter automatically.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.5.9
Maturity Level 2#
Regenerate Session Tokens#
Regenerate session tokens when the user authenticates to the application. Additionally, should the encryption status change, the session token must be regenerated.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.5.10
Maturity Level 3#
Destroy Sessions at Any Sign of Tampering#
Unless the application requires multiple simultaneous sessions for a single user, implement features to detect session cloning attempts. Should any sign of session cloning be detected, the session must be destroyed, forcing the real user to reauthenticate.
Applies to: Web components
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.5.7