6.5.10 Broken authentication and session management

PCI DSS v3.2.1 Questions and Answers Forum Maintain a Vulnerability Management Program
1

6.5.10 Broken authentication and session management.

6.5.10 Examine software development policies and procedures and interview responsible personnel to verify that broken authentication and session management are addressed via coding techniques that commonly include:
• Flagging session tokens (for example cookies) as “secure”
• Not exposing session IDs in the URL
• Incorporating appropriate time-outs and rotation of session IDs after a successful login.

Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.