\begin{enumerate}[label={3.\arabic*}]
\item
- \TODO{}
+ \pass
Verify that there is no custom session manager, or that the custom session
manager is resistant against all common session management attacks.
+ \begin{result}
+ The application uses the standard \PHP functionality;
+ \code{session_start()} to manage sessions.
+ \end{result}
+
\item
- \TODO{}
+ \pass
Verify that sessions are invalidated when the user logs out.
+ \begin{result}
+ When a user logs out the application calls \code{forget()}, which destroys
+ the session.
+ \end{result}
+
\item
- \TODO{}
+ \fail
Verify that sessions timeout after a specified period of inactivity.
+ \begin{result}
+ There is no functionality which tracks how long a user has been inactive.
+ \end{result}
+
\notapplicable{
\item
repositories / ssproject1617.git / blobdiff