report/v3_session.tex

   1 \begin{enumerate}[label={3.\arabic*}]
   2
   3     \item
   4     \pass
   5     Verify that there is no custom session manager, or that the custom session
   6     manager is resistant against all common session management attacks.
   7     \begin{result}
   8       The application uses the standard \PHP functionality;
   9       \code{session_start()} to manage sessions.
  10     \end{result}
  11
  12
  13     \item
  14     \pass
  15     Verify that sessions are invalidated when the user logs out.
  16     \begin{result}
  17       When a user logs out the application calls \code{forget()}, which destroys
  18       the session.
  19     \end{result}
  20
  21
  22     \item
  23     \fail
  24     Verify that sessions timeout after a specified period of inactivity.
  25     \begin{result}
  26     There is no functionality which tracks how long a user has been inactive.
  27     \end{result}
  28
  29
  30   \notapplicable{
  31     \item
  32     Verify that sessions timeout after an administratively-configurable
  33     maximum time period regardless of activity (an absolute timeout).
  34   }
  35
  36     \item
  37     \TODO{}
  38     Verify that all pages that require authentication have easy and visible
  39     access to logout functionality.
  40
  41     \item
  42     \TODO{}
  43     Verify that the session id is never disclosed in URLs, error messages, or
  44     logs. This includes verifying that the application does not support URL
  45     rewriting of session cookies.
  46
  47     \item
  48     \TODO{}
  49     Verify that all successful authentication and re-authentication generates
  50     a new session and session id.
  51
  52   \notapplicable{
  53     \item
  54     Verify that only session ids generated by the application framework are
  55     recognized as active by the application.
  56   }
  57
  58     \item
  59     \TODO{}
  60     Verify that session ids are sufficiently long, random and unique across the
  61     correct active session base.
  62
  63     \item
  64     \TODO{}
  65     Verify that session ids stored in cookies have their path set to an
  66     appropriately restrictive value for the application, and authentication
  67     session tokens additionally set the “HttpOnly” and “secure” attributes.
  68
  69     \item
  70     \TODO{}
  71     Verify that the application limits the number of active concurrent sessions.
  72
  73     \item
  74     \TODO{}
  75     Verify that an active session list is displayed in the account profile or
  76     similar of each user. The user should be able to terminate any active
  77     session.
  78
  79     \item
  80     \TODO{}
  81     Verify the user is prompted with the option to terminate all other active
  82     sessions after a successful change password process.
  83
  84 \end{enumerate}