\begin{result}
The session id is only used inside the cookie. And the \PHP{}
\code{\$\_SESSION} variable is never accessed outside of session
- management in \srcref{sessions.php}{}.
+ management in \code{sessions.php}.
\end{result}
\begin{result}
The application does not destroy the session id upon logout, it merely
invalidates it. However \PHP{}'s session managements automatically
- invalides these session id's after some time. % Discuss?
+ invalidates the session id after some time. % Discuss?
\end{result}
\fail{}
Verify that session ids stored in cookies have their path set to an
appropriately restrictive value for the application, and authentication
- session tokens additionally set the “HttpOnly” and “secure” attributes.
+ session tokens additionally set the \code{HttpOnly} and \code{secure} attributes.
\begin{result}
There is just one cookie for tha application and it's path includes the whole
- site. However this seems appropriate. The ``HttpOnly'' and ``secure''
+ site. However this seems appropriate. The \code{HttpOnly} and \code{secure}
attributes are not set for this cookie.
\end{result}
session.
\begin{result}
There is no indication whatsoever of any other active sessions a user may
- have open
+ have open.
\end{result}
\item
Verify the user is prompted with the option to terminate all other active
sessions after a successful change password process.
\begin{result}
- There is no such option, also notaeable is that there is no confirmation for
+ There is no such option, also notable is that there is no confirmation for
the password change.
\end{result}