There should be a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements. This could be role-dependent. Additionally disallow persistent logins and enforce periodic session terminations (e.g. after 8 or 12 hours), even when the session is active, especially for applications supporting rich network connections or connecting to critical systems. Termination times should support business requirements and the user should receive sufficient notification to mitigate negative impacts.

NB: This card primarily relates to session timeout, but also includes using the same session identifier in concurrent sessions. See SM 3 for concurrent sessions created by authenticating more than once in different browsers/devices.