Move 3.5.2 to 3.1.3 and modify to resolve #1522

OWASP · Oct 3, 2023 · e3e2686 · e3e2686
1 parent 60f563d
commit e3e2686
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/5.0/en/0x12-V3-Session-management.md b/5.0/en/0x12-V3-Session-management.md
@@ -17,6 +17,7 @@ As previously noted, these requirements have been adapted to be a compliant subs
 | :---: | :--- | :---: | :---: | :---: | :---: | :---: |
 | **3.1.1** | [DELETED, MERGED TO 8.3.1] | | | | | |
 | **3.1.2** | [ADDED] Verify that the application performs all session token verification using a trusted, back-end service. | ✓ | ✓ | ✓ | 603 | |
+| **3.1.3** | [MOVED FROM 3.5.2, MODIFIED] Verify that the application uses either **cryptographically signed or opaque tokens** for session management. Static API secrets and keys should be avoided. | ✓ | ✓ | ✓ | 798 | 7.1 |
 
 ## V3.2 Session Binding
 
@@ -62,7 +63,7 @@ Token-based session management includes JWT, OAuth, SAML, and API keys. Of these
 | # | Description | L1 | L2 | L3 | CWE | [NIST &sect;](https://pages.nist.gov/800-63-3/sp800-63b.html) |
 | :---: | :--- | :---: | :---: | :---: | :---: | :---: |
 | **3.5.1** | [GRAMMAR] Verify that the application allows users to revoke OAuth tokens that form trust relationships with linked applications. | | ✓ | ✓ | 290 | 7.1.2 |
-| **3.5.2** | [GRAMMAR] Verify that the application uses session tokens rather than static API secrets and keys, except with legacy implementations. | | ✓ | ✓ | 798 | |
+| **3.5.2** | [DELETED, MOVED TO 3.1.3, MODIFIED] | | | | | |
 | **3.5.3** | [MODIFIED, LEVEL L2 > L1] Verify that stateless session tokens make use of a digital signature to protect against tampering and this is checked before processing it further. | ✓ | ✓ | ✓ | 345 | |
 | **3.5.4** | [ADDED] Verify that stateless tokens are checked for expiration before processing them further. | ✓ | ✓ | ✓ | 613 | |
 | **3.5.5** | [ADDED] Verify that only allow-listed signing algorithms are allowed for a stateless token. | ✓ | ✓ | ✓ | 757 | |