updated rec for failure to invalidate session on email change

submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/recommendations.md

@@ -1,6 +1,10 @@
 # Recommendation(s)
 
-The application should monitor and alert the user to concurrent login events and provide the user a way to logout of other sessions than their current login.
+The application should invalidate all current user sessions, both server-side and client-side, when a user changes their email.
 
-For further information, please see:
-<https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons>
+It is also best practice to shorten session timeout values based upon business needs. The length of the session should take into consideration the criticality of the application and the data contained within.
+
+For further information, please see Open Web Application Security Project (OWASP):
+
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons>
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>