NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-23(1)Invalidate Session Identifiers at Logout

Invalidate session identifiers upon user logout or other session termination.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Invalidating session identifiers at logout curtails the ability of adversaries to capture and continue to employ previously valid session IDs.

Practitioner Notes

Session identifiers (tokens, cookies) must be invalidated when a user logs out, so they cannot be reused by an attacker.

Example 1: Configure your web application to destroy the session on the server side when a user clicks "Log Out." Do not just delete the cookie on the client — the server must also invalidate the session ID so it cannot be replayed.

Example 2: In Azure AD, configure token lifetime policies to limit how long access tokens remain valid. Use "Continuous Access Evaluation" so tokens are revoked almost immediately when a user's session is terminated or their risk level changes.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability