diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
index 10b74604..336be350 100644
--- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
+++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md
@@ -1,6 +1,10 @@
 # Recommendation(s)
 
-The application should monitor and alert the user to concurrent login events and provide the user a way to logout of other sessions than their current login.
+The application should invalidate all current user sessions, both server-side and client-side, when a user changes their email address.
 
-For further information, please see:
-<https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons>
+It is also best practice to shorten session timeout values based upon business needs. The length of the session should take into consideration the criticality of the application and the data contained within.
+
+For further information, please see Open Web Application Security Project (OWASP):
+
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons>
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>