One of the top ten points on the OWASP website claims that we should consider restoring a new session if the authentication level or privilege is successfully changed.
What would be the right way to do this?
One thing that the employee told me about, but I didn’t test, is that when a user uses browser tabs, each tab does not receive its own session, so I think this negates the whole exercise.
Thanks Paul Sperantza
Paul speranza
source
share