6.5.10 Broken authentication and session management
Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.
6.5.10 Examine software development policies and procedures and interview responsible personnel to verify that broken authentication and session management are addressed via coding techniques that commonly include:
• Flagging session tokens (for example cookies) as
“secure”
• Not exposing session IDs in the URL
• Incorporating appropriate time-outs and rotation of session IDs after a successful login.
Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.