-
-
Notifications
You must be signed in to change notification settings - Fork 676
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.3.2 - Multiple Concurrent Sessions Handling (Documentation) #2101
Comments
Like it! Thank you! |
Slight change
Overall I think it sounds good :) |
this does not feel right :) |
How about:
|
I'm a bit worried, that "behavior and handling sessions" are a bit vague here. It's not clear from the requirement, what we need to verify and what must be done. |
Yes, on looking over, I agree. Consider:
This wording may exclude some possible desirable controls. Thoughts? |
Seems like a 2 separate topics here? One requirement:
And something for other - but what goal it has?
|
Most every app I use allows for parallel sessions - which are secured by all of the other requirements we talk about in this section. I suggest we drop 1.3.2, it does not really help for security. Multiple sessions are the norm, I do not see why we need special requirements to talk about them. |
For example, if you have an backoffice account meant to be used from by one user from one workstation, you have logical limitation for "1 active session per account". It depends on the application needs, that's why we need the documented security decision. |
@elarlang This is such an edge case in my world - but I see it's more frequent in back-office and finance so I drop my concern. |
Following discussion with @elarlang, I will propose the following simplification for this requirement:
|
Last proposal:
It defines it as boolean - multiple allowed or not, but does not set the limit, how many parallel sessions are allowed. I prefer my direction:
Just an idea - should it cover also the situation, when a "max amount of allowed sessions is reached" and then new authentication is made, is it FIFO there or anything else. |
How about this:
|
Clear for me |
PR via #2171 |
Starting with the following proposal for documenting the handling of multiple concurrent sessions:
L1 requirement based on 3.8.2, 3.8.5, and 3.8.6.
The text was updated successfully, but these errors were encountered: