| Review DBMS settings and vendor documentation to verify user sessions are terminated, and session identifiers invalidated, upon user logout. If they are not, this is a finding. |
Review system documentation and organization policy to identify other events that should result in session terminations.
If other session termination events are defined, review DBMS settings to verify occurrences of these events would cause session termination, invalidating the session identifiers.
If occurrences of defined session terminating events do not cause session terminations, invalidating the session identifiers, this is a finding.