Merge pull request #428 from bugcrowd/On-logout-failure-to-invalidate…

…-session

Updated rec for Failure to Invalidate Session on Logout

submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/recommendations.md

@@ -1,6 +1,8 @@
 # Recommendation(s)
 
-At a minimum, the current user sessions should be invalidated when the user logs out. As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should be considered for all user sessions. This allows an attacker less time to use a valid session ID. However, session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within.
+The application should invalidate all current user sessions, both server-side and client-side, when a user logs out.
+
+As many common user scenarios involve users leaving or closing a page instead of logging out, short session expiration should also be considered for all user sessions. This allows an attacker less time to use a valid session ID. Session timeout values should be set based upon business needs. wThe length of the session should take into consideration the criticality of the application and the data contained within.
 
 For further information, please see Open Web Application Security Project (OWASP):