1 \begin{enumerate
}[label=
{3.
\arabic*
}]
5 Verify that there is no custom session manager, or that the custom session
6 manager is resistant against all common session management attacks.
8 The application uses the standard
\PHP{} functionality; namely
9 \code{session
\_start ()
} to manage sessions.
15 Verify that sessions are invalidated when the user logs out.
17 When a user logs out the application calls
\code{forget()
}, which
18 invalidates the session.
24 Verify that sessions timeout after a specified period of inactivity.
26 There is absolutely no functionality which tracks how long a user has been inactive.
32 Verify that sessions timeout after an administratively-configurable
33 maximum time period regardless of activity (an absolute timeout).
38 Verify that all pages that require authentication have easy and visible
39 access to logout functionality.
41 The logout functionality is plainly visible on the top right of the
42 application on every page that requires authentication. This is defined in
43 \srcref{admin/themes/header.php
}{16-
30}
49 Verify that the session id is never disclosed in URLs, error messages, or
50 logs. This includes verifying that the application does not support URL
51 rewriting of session cookies.
53 The session id is only used inside the cookie. And the
\PHP{}
54 \code{\$
\_SESSION} variable is never accessed outside of session
55 management in
\srcref{sessions.php
}{}.
61 Verify that all successful authentication and re-authentication generates
62 a new session and session id.
64 The application does not destroy the session id upon logout, it merely
65 invalidates it.
\PHP{}'s
% HOWEVER!
71 Verify that only session ids generated by the application framework are
72 recognized as active by the application.
77 Verify that session ids are sufficiently long, random and unique across the
78 correct active session base.
80 The session ids are generated by
\PHP{} trough the
\code{session
\_start}
81 function. These are indeed sufficiently long, random and unique.
87 Verify that session ids stored in cookies have their path set to an
88 appropriately restrictive value for the application, and authentication
89 session tokens additionally set the “HttpOnly” and “secure” attributes.
93 Verify that the application limits the number of active concurrent sessions.
97 Verify that an active session list is displayed in the account profile or
98 similar of each user. The user should be able to terminate any active
103 Verify the user is prompted with the option to terminate all other active
104 sessions after a successful change password process.