From e5cf6320efbdb37acbe6da67948776fd773293b3 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 5 Aug 2025 12:53:29 +0200
Subject: [PATCH 1/4] changes in requirements to align on concurrent sessions

---
 docs/en/04-design/02-web-app-checklist/06-digital-identity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
index e2b548f0..b2724273 100644
--- a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
+++ b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
@@ -70,7 +70,7 @@ and use the list below as suggestions for a checklist that has been tailored for
 8. Disallow persistent logins and enforce periodic session terminations, even when the session is active
 9. If a session was established before login, close that session and establish a new session after a successful login
 10. Generate a new session identifier on any re-authentication
-11. Do not allow concurrent logins with the same user ID
+11. Do not allow concurrent logins with the same session ID
 12. Do not expose session identifiers in URLs, error messages or logs
 13. Implement appropriate access controls to protect server side session data
     from unauthorized access from other users of the server

From fa86c940c39b26b525ebcbe6e7d2cc0e00aa7b78 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 5 Aug 2025 13:09:20 +0200
Subject: [PATCH 2/4] move all session management items under session
 management

---
 .../06-digital-identity.md                    | 23 ++++++++-----------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
index b2724273..61c00f72 100644
--- a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
+++ b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
@@ -56,7 +56,7 @@ and use the list below as suggestions for a checklist that has been tailored for
 15. Ensure that no credentials are stored in clear text or are easily retrievable in encoded or encrypted forms in the
     browser's storage mechanisms
 
-#### 3. Cryptographic based authentication
+#### 3. Session Management
 
 1. Use the server or framework's session management controls
 2. Session identifier creation must always be done on a trusted system
@@ -80,20 +80,17 @@ and use the list below as suggestions for a checklist that has been tailored for
 16. Set the `secure` attribute for cookies transmitted over an [TLS][tls] connection
 17. Set cookies with the `HttpOnly` attribute,
     unless you specifically require client-side scripts within your application to read or set a cookie value
-
-#### 4. Session Management
-
-1. Ensure that the session id is long, unique and random, i.e., is of high entropy
-2. Generate a new session during authentication and re-authentication
-3. All active sessions must be terminated when a user account is disabled or deleted
-4. After a successful change or removal of any authentication factor give the option to terminate all other active sessions
-5. Implement an idle timeout after a period of inactivity and an absolute maximum lifetime for each session, after
+18. Ensure that the session id is long, unique and random, i.e., is of high entropy
+19. Generate a new session during authentication and re-authentication
+20. All active sessions must be terminated when a user account is disabled or deleted
+21. After a successful change or removal of any authentication factor give the option to terminate all other active sessions
+22. Implement an idle timeout after a period of inactivity and an absolute maximum lifetime for each session, after
     which users must re-authenticate
-6. Supplement standard session management for sensitive server-side operations, like account management, by requiring and
+23. Supplement standard session management for sensitive server-side operations, like account management, by requiring and
    validating anti-forgery tokens (CSRF tokens) for each request that may change application state or execute an action
-7. If long authenticated sessions are allowed, periodically re-validate a user's authorization
-8. The application must support termination of sessions when authorization ceases
-9. Application administrators should be able to terminate active sessions and authentication codes and -tokens, and users
+24. If long authenticated sessions are allowed, periodically re-validate a user's authorization
+25. The application must support termination of sessions when authorization ceases
+26. Application administrators should be able to terminate active sessions and authentication codes and -tokens, and users
    should be able to terminate their active sessions
 
 #### References

From 4de7b12207bf33ae9e3cbcbb4bba7d2011777536 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 5 Aug 2025 13:10:33 +0200
Subject: [PATCH 3/4] Remove item concerning concurrent sessions

---
 docs/en/04-design/02-web-app-checklist/06-digital-identity.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
index 61c00f72..afcc603f 100644
--- a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
+++ b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
@@ -70,7 +70,6 @@ and use the list below as suggestions for a checklist that has been tailored for
 8. Disallow persistent logins and enforce periodic session terminations, even when the session is active
 9. If a session was established before login, close that session and establish a new session after a successful login
 10. Generate a new session identifier on any re-authentication
-11. Do not allow concurrent logins with the same session ID
 12. Do not expose session identifiers in URLs, error messages or logs
 13. Implement appropriate access controls to protect server side session data
     from unauthorized access from other users of the server

From 693d2ae89797a5bb745b4650730236717a4fe9e9 Mon Sep 17 00:00:00 2001
From: Uncle Joe <1244005+sydseter@users.noreply.github.com>
Date: Tue, 5 Aug 2025 13:16:13 +0200
Subject: [PATCH 4/4] Reorder items

---
 .../06-digital-identity.md                    | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
index afcc603f..0daf0c9c 100644
--- a/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
+++ b/docs/en/04-design/02-web-app-checklist/06-digital-identity.md
@@ -70,26 +70,26 @@ and use the list below as suggestions for a checklist that has been tailored for
 8. Disallow persistent logins and enforce periodic session terminations, even when the session is active
 9. If a session was established before login, close that session and establish a new session after a successful login
 10. Generate a new session identifier on any re-authentication
-12. Do not expose session identifiers in URLs, error messages or logs
-13. Implement appropriate access controls to protect server side session data
+11. Do not expose session identifiers in URLs, error messages or logs
+12. Implement appropriate access controls to protect server side session data
     from unauthorized access from other users of the server
-14. Generate a new session identifier and deactivate the old one periodically
-15. Generate a new session identifier if the connection security changes from HTTP to HTTPS,
+13. Generate a new session identifier and deactivate the old one periodically
+14. Generate a new session identifier if the connection security changes from HTTP to HTTPS,
     as can occur during authentication
-16. Set the `secure` attribute for cookies transmitted over an [TLS][tls] connection
-17. Set cookies with the `HttpOnly` attribute,
+15. Set the `secure` attribute for cookies transmitted over an [TLS][tls] connection
+16. Set cookies with the `HttpOnly` attribute,
     unless you specifically require client-side scripts within your application to read or set a cookie value
-18. Ensure that the session id is long, unique and random, i.e., is of high entropy
-19. Generate a new session during authentication and re-authentication
-20. All active sessions must be terminated when a user account is disabled or deleted
-21. After a successful change or removal of any authentication factor give the option to terminate all other active sessions
-22. Implement an idle timeout after a period of inactivity and an absolute maximum lifetime for each session, after
+17. Ensure that the session id is long, unique and random, i.e., is of high entropy
+18. Generate a new session during authentication and re-authentication
+19. All active sessions must be terminated when a user account is disabled or deleted
+20. After a successful change or removal of any authentication factor give the option to terminate all other active sessions
+21. Implement an idle timeout after a period of inactivity and an absolute maximum lifetime for each session, after
     which users must re-authenticate
-23. Supplement standard session management for sensitive server-side operations, like account management, by requiring and
+22. Supplement standard session management for sensitive server-side operations, like account management, by requiring and
    validating anti-forgery tokens (CSRF tokens) for each request that may change application state or execute an action
-24. If long authenticated sessions are allowed, periodically re-validate a user's authorization
-25. The application must support termination of sessions when authorization ceases
-26. Application administrators should be able to terminate active sessions and authentication codes and -tokens, and users
+23. If long authenticated sessions are allowed, periodically re-validate a user's authorization
+24. The application must support termination of sessions when authorization ceases
+25. Application administrators should be able to terminate active sessions and authentication codes and -tokens, and users
    should be able to terminate their active sessions
 
 #### References