Update 0x09-V4-Authentication_and_Session_Management_Requirements.md

Document/0x09-V4-Authentication_and_Session_Management_Requirements.md

@@ -11,7 +11,7 @@ In most cases, users logging into a remote service is an integral part of the ov
 | **4.1** | If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. | ✓ | ✓ |
 | **4.2** | If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials.  | ✓ | ✓ |
 | **4.3** | If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. | ✓ | ✓ |
-| **4.4** | The remote endpoint terminates the existing stateful session or invalidates the stateless session token when the user logs out. | ✓ | ✓ |
+| **4.4** | The remote endpoint terminates the existing session when the user logs out. | ✓ | ✓ |
 | **4.5** | A password policy exists and is enforced at the remote endpoint. | ✓ | ✓ |
 | **4.6** | The remote endpoint implements an exponential back-off, or temporarily locks the user account, when incorrect authentication credentials are submitted an excessive number of times. | ✓ | ✓ |
 | **4.7** | Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore. |   | ✓ |