-\begin{enumerate}[label={3.\arabic*}]
+\begin{enumerate}[label={V3.\arabic*}]
\item
- \TODO{}
+ \pass{}
Verify that there is no custom session manager, or that the custom session
manager is resistant against all common session management attacks.
+ \begin{result}
+ The application uses the standard \PHP{} functionality; namely
+ \code{session\_start ()} to manage sessions.
+ \end{result}
+
\item
- \TODO{}
+ \pass{}
Verify that sessions are invalidated when the user logs out.
+ \begin{result}
+ When a user logs out the application calls \code{forget()}, which
+ invalidates the session.
+ \end{result}
+
\item
- \TODO{}
+ \fail{}
Verify that sessions timeout after a specified period of inactivity.
+ \begin{result}
+ There is absolutely no functionality which tracks how long a user has been inactive.
+ \end{result}
+
- \notapplicable{
+ \notapplicable{%
\item
Verify that sessions timeout after an administratively-configurable
maximum time period regardless of activity (an absolute timeout).
}
\item
- \TODO{}
+ \pass{}
Verify that all pages that require authentication have easy and visible
access to logout functionality.
+ \begin{result}
+ The logout functionality is plainly visible on the top right of the
+ application on every page that requires authentication. This is defined in
+ \srcref{admin/themes/header.php}{16{-}30}
+ \end{result}
+
\item
- \TODO{}
+ \pass{}
Verify that the session id is never disclosed in URLs, error messages, or
logs. This includes verifying that the application does not support URL
rewriting of session cookies.
+ \begin{result}
+ The session id is only used inside the cookie. And the \PHP{}
+ \code{\$\_SESSION} variable is never accessed outside of session
+ management in \srcref{sessions.php}{}.
+ \end{result}
+
\item
- \TODO{}
+ \fail{}
Verify that all successful authentication and re-authentication generates
a new session and session id.
+ \begin{result}
+ The application does not destroy the session id upon logout, it merely
+ invalidates it. However \PHP{}'s session managements automatically
+ invalides these session id's after some time. % Discuss?
+ \end{result}
- \notapplicable{
- \item
+
+ \setcounter{enumi}{9}
+ \notapplicable{%
+ \item
Verify that only session ids generated by the application framework are
recognized as active by the application.
}
\item
- \TODO{}
+ \pass{}
Verify that session ids are sufficiently long, random and unique across the
correct active session base.
+ \begin{result}
+ The session ids are generated by \PHP{} trough the \code{session\_start}
+ function. These are indeed sufficiently long, random and unique. There are
+ no known attacks against these session ID's.
+ \end{result}
+
\item
- \TODO{}
+ \fail{}
Verify that session ids stored in cookies have their path set to an
appropriately restrictive value for the application, and authentication
session tokens additionally set the “HttpOnly” and “secure” attributes.
+ \begin{result}
+ There is just one cookie for tha application and it's path includes the whole
+ site. However this seems appropriate. The ``HttpOnly'' and ``secure''
+ attributes are not set for this cookie.
+ \end{result}
+
+ \setcounter{enumi}{15}
\item
- \TODO{}
+ \pass{}
Verify that the application limits the number of active concurrent sessions.
+ \begin{result}
+ By using \PHP{}'s session handling mechanism the application limits the
+ number of active concurrent sessions adequately.
+ \end{result}
\item
- \TODO{}
+ \fail{}
Verify that an active session list is displayed in the account profile or
similar of each user. The user should be able to terminate any active
session.
+ \begin{result}
+ There is no indication whatsoever of any other active sessions a user may
+ have open
+ \end{result}
\item
- \TODO{}
+ \fail{}
Verify the user is prompted with the option to terminate all other active
sessions after a successful change password process.
+ \begin{result}
+ There is no such option, also notaeable is that there is no confirmation for
+ the password change.
+ \end{result}
\end{enumerate}
repositories / ssproject1617.git / blobdiff