Josh Grossman

I think the problem it solves is that we don't have a basic level requirement which says, use session tokens not fixed values which I think is why Jim came...

@elarlang what do you think about this very basic session management requirement which Jim suggested here https://github.com/OWASP/ASVS/issues/1522#issuecomment-1380700455 > Verify that the application uses framework-specific session tokens or cryptographically signed JSON...

> Is the context here machine-to-machine integrations or it covers all "usual" end-users with their browsers as well? If it is machine to machine, How it's different from current 2.10.1?...

@elarlang do you approve this wording?

Ah yeah, I think it is intended to replace 3.5.2 with a generic requirement for the need for session management so it should be this: | # | Description |...

Fair point, how about this @elarlang: | # | Description | L1 | L2 | L3 | CWE | [NIST §](https://pages.nist.gov/800-63-3/sp800-63b.html) | | :---: | :--- | :---: | :---:...

I cannot find a good CWE match so I would rather just get this in for now.

Although actually 3.5.2 originally had CWE-798 which is not ideal but it is something.

Opened #1743 to resolve

@elarlang what do you think?