ASVS
Browse ASVS
V7.3: Session Timeout
V7.3.1: Verify that there is an inactivity timeout such that re-authentication is enforced according to risk analysis and documented security decisions.

Verify that there is an inactivity timeout such that re-authentication is enforced according to risk analysis and documented security decisions.

Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).

Description

Verify that there is an inactivity timeout such that re-authentication is enforced according to risk analysis and documented security decisions.

V7.3.2: Verify that there is an absolute maximum session lifetime such that re-authentication is enforced according to risk analysis and documented security decisions.

Verify that there is an absolute maximum session lifetime such that re-authentication is enforced according to risk analysis and documented security decisions.

Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).

Description

Verify that there is an absolute maximum session lifetime such that re-authentication is enforced according to risk analysis and documented security decisions.