report/v3_session.tex

   1 \begin{enumerate}[label={V3.\arabic*}]
   2
   3     \item
   4       \pass{}
   5     Verify that there is no custom session manager, or that the custom session
   6     manager is resistant against all common session management attacks.
   7     \begin{result}
   8       The application uses the standard \PHP{} functionality; namely
   9       \code{session\_start ()} to manage sessions.
  10     \end{result}
  11
  12
  13     \item
  14       \pass{}
  15     Verify that sessions are invalidated when the user logs out.
  16     \begin{result}
  17       When a user logs out the application calls \code{forget()}, which
  18       invalidates the session.
  19     \end{result}
  20
  21
  22     \item
  23       \fail{}
  24     Verify that sessions timeout after a specified period of inactivity.
  25     \begin{result}
  26     There is absolutely no functionality which tracks how long a user has been inactive.
  27     \end{result}
  28
  29
  30   \notapplicable{%
  31     \item
  32     Verify that sessions timeout after an administratively-configurable
  33     maximum time period regardless of activity (an absolute timeout).
  34   }
  35
  36     \item
  37       \pass{}
  38     Verify that all pages that require authentication have easy and visible
  39     access to logout functionality.
  40     \begin{result}
  41     The logout functionality is plainly visible on the top right of the
  42       application on every page that requires authentication. This is defined in
  43                 \srcref{admin/themes/header.php}{16{-}30}
  44     \end{result}
  45
  46
  47     \item
  48       \pass{}
  49     Verify that the session id is never disclosed in URLs, error messages, or
  50     logs. This includes verifying that the application does not support URL
  51     rewriting of session cookies.
  52     \begin{result}
  53       The session id is only used inside the cookie. And the \PHP{}
  54       \code{\$\_SESSION} variable is never accessed outside of session
  55       management in \code{sessions.php}.
  56     \end{result}
  57
  58
  59     \item
  60       \fail{}
  61     Verify that all successful authentication and re-authentication generates
  62     a new session and session id.
  63     \begin{result}
  64     The application does not destroy the session id upon logout, it merely
  65       invalidates it. However \PHP{}'s session managements automatically
  66       invalidates the session id after some time. % Discuss?
  67     \end{result}
  68
  69
  70   \setcounter{enumi}{9}
  71     \item
  72       \pass{}
  73     Verify that only session ids generated by the application framework are
  74     recognized as active by the application.
  75     \begin{result}
  76     Since the session ids come directly from \PHP{}'s session management functionality, only ids generated by \PHP{} will be accepted by the application.
  77     \end{result}
  78
  79
  80     \item
  81       \pass{}
  82     Verify that session ids are sufficiently long, random and unique across the
  83     correct active session base.
  84     \begin{result}
  85       The session ids are generated by \PHP{} trough the \code{session\_start}
  86       function. These are indeed sufficiently long, random and unique. There are
  87       no known attacks against these session IDs.
  88     \end{result}
  89
  90
  91     \item
  92       \fail{}
  93     Verify that session ids stored in cookies have their path set to an
  94     appropriately restrictive value for the application, and authentication
  95     session tokens additionally set the \code{HttpOnly} and \code{secure} attributes.
  96     \begin{result}
  97     There is just one cookie for the application and it's path includes the whole
  98       site. However this seems appropriate. The \code{HttpOnly} and \code{secure}
  99       attributes are not set for this cookie.
 100     \end{result}
 101
 102
 103     \setcounter{enumi}{15}
 104     \item
 105       \pass{}
 106     Verify that the application limits the number of active concurrent sessions.
 107     \begin{result}
 108       By using \PHP{}'s session handling mechanism the application limits the
 109       number of active concurrent sessions adequately.
 110     \end{result}
 111
 112     \item
 113       \fail{}
 114     Verify that an active session list is displayed in the account profile or
 115     similar of each user. The user should be able to terminate any active
 116     session.
 117     \begin{result}
 118     There is no indication whatsoever of any other active sessions a user may
 119       have open.
 120     \end{result}
 121
 122     \item
 123       \fail{}
 124     Verify the user is prompted with the option to terminate all other active
 125     sessions after a successful change password process.
 126     \begin{result}
 127     There is no such option, also notable is that there is no confirmation for
 128       the password change.
 129     \end{result}
 130
 131 \end{enumerate}