ASVS Requirement 7.4.1

• Level: 1
• Chapter: V7 Session Management
• Section: V7.4 Session Termination
• Source: 0x16-V7-Session-Management.md

Description

Verify that when session termination is triggered (such as logout or expiration), the application disallows any further use of the session. For reference tokens or stateful sessions, this means invalidating the session data at the application backend. Applications using self-contained tokens will need a solution such as maintaining a list of terminated tokens, disallowing tokens produced before a per-user date and time or rotating a per-user signing key.