Session hijacking has to check on 'concurrent sessions' (code example)

[RiieCco]

No description provided.

[jowasp]

Session hijacking must also check concurrent sessions (provide example)
[Translation]
This is explained in the ASVS:
3.16
Verify that the application limits the number of active concurrent sessions.

[jmanico]

Bah, limiting multiple concurrent sessions doesn't always make sense. You may want to log into the web, your mobile and your iPad together in some cases. This is not a hard rule, just a suggestion.

More importantly, inform users of open sessions and give them a chance to close them, like we see at google and other services.

Jim Manico
@manicode

On Feb 10, 2016, at 4:41 PM, jowasp notifications@github.com wrote:

Session hijacking must also check concurrent sessions (provide example)
[Translation]
This is exam plain in the ASVS:
3.16
Verify that the application limits the number of active concurrent sessions.

—
Reply to this email directly or view it on GitHub.

[jowasp]

Agree with @jmanico I was just translating ;-P