users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. 4.2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. 4.3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. 4.4 The remote endpoint terminates the existing session when the user logs out. 4.5 A password policy exists and is enforced at the remote endpoint. 4.6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.