From e3e2686718055f44eba39f1f0054a25e7daa4b16 Mon Sep 17 00:00:00 2001
From: Josh Grossman <tghosth@users.noreply.github.com>
Date: Tue, 3 Oct 2023 15:39:12 +0300
Subject: [PATCH] Move 3.5.2 to 3.1.3 and modify to resolve #1522

---
 5.0/en/0x12-V3-Session-management.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/5.0/en/0x12-V3-Session-management.md b/5.0/en/0x12-V3-Session-management.md
index 86594eddeb..b6c8ddbe2f 100644
--- a/5.0/en/0x12-V3-Session-management.md
+++ b/5.0/en/0x12-V3-Session-management.md
@@ -17,6 +17,7 @@ As previously noted, these requirements have been adapted to be a compliant subs
 | :---: | :--- | :---: | :---: | :---: | :---: | :---: |
 | **3.1.1** | [DELETED, MERGED TO 8.3.1] | | | | | |
 | **3.1.2** | [ADDED] Verify that the application performs all session token verification using a trusted, back-end service. | ✓ | ✓ | ✓ | 603 | |
+| **3.1.3** | [MOVED FROM 3.5.2, MODIFIED] Verify that the application uses either **cryptographically signed or opaque tokens** for session management. Static API secrets and keys should be avoided. | ✓ | ✓ | ✓ | 798 | 7.1 |
 
 ## V3.2 Session Binding
 
@@ -62,7 +63,7 @@ Token-based session management includes JWT, OAuth, SAML, and API keys. Of these
 | # | Description | L1 | L2 | L3 | CWE | [NIST &sect;](https://pages.nist.gov/800-63-3/sp800-63b.html) |
 | :---: | :--- | :---: | :---: | :---: | :---: | :---: |
 | **3.5.1** | [GRAMMAR] Verify that the application allows users to revoke OAuth tokens that form trust relationships with linked applications. | | ✓ | ✓ | 290 | 7.1.2 |
-| **3.5.2** | [GRAMMAR] Verify that the application uses session tokens rather than static API secrets and keys, except with legacy implementations. | | ✓ | ✓ | 798 | |
+| **3.5.2** | [DELETED, MOVED TO 3.1.3, MODIFIED] | | | | | |
 | **3.5.3** | [MODIFIED, LEVEL L2 > L1] Verify that stateless session tokens make use of a digital signature to protect against tampering and this is checked before processing it further. | ✓ | ✓ | ✓ | 345 | |
 | **3.5.4** | [ADDED] Verify that stateless tokens are checked for expiration before processing them further. | ✓ | ✓ | ✓ | 613 | |
 | **3.5.5** | [ADDED] Verify that only allow-listed signing algorithms are allowed for a stateless token. | ✓ | ✓ | ✓ | 757 | |