1 \begin{enumerate
}[label=
{3.
\arabic*
}]
5 Verify that there is no custom session manager, or that the custom session
6 manager is resistant against all common session management attacks.
10 Verify that sessions are invalidated when the user logs out.
14 Verify that sessions timeout after a specified period of inactivity.
18 Verify that sessions timeout after an administratively-configurable
19 maximum time period regardless of activity (an absolute timeout).
24 Verify that all pages that require authentication have easy and visible
25 access to logout functionality.
29 Verify that the session id is never disclosed in URLs, error messages, or
30 logs. This includes verifying that the application does not support URL
31 rewriting of session cookies.
35 Verify that all successful authentication and re-authentication generates
36 a new session and session id.
40 Verify that only session ids generated by the application framework are
41 recognized as active by the application.
46 Verify that session ids are sufficiently long, random and unique across the
47 correct active session base.
51 Verify that session ids stored in cookies have their path set to an
52 appropriately restrictive value for the application, and authentication
53 session tokens additionally set the “HttpOnly” and “secure” attributes.
57 Verify that the application limits the number of active concurrent sessions.
61 Verify that an active session list is displayed in the account profile or
62 similar of each user. The user should be able to terminate any active
67 Verify the user is prompted with the option to terminate all other active
68 sessions after a successful change password process.
repositories / ssproject1617.git / blob