\begin{result}
The session id is only used inside the cookie. And the \PHP{}
\code{\$\_SESSION} variable is never accessed outside of session
- management in \srcref{sessions.php}{}.
+ management in \code{sessions.php}.
\end{result}
\begin{result}
The application does not destroy the session id upon logout, it merely
invalidates it. However \PHP{}'s session managements automatically
- invalides these session id's after some time. % Discuss?
+ invalidates the session id after some time. % Discuss?
\end{result}
- \notapplicable{%
+ \setcounter{enumi}{9}
\item
Verify that only session ids generated by the application framework are
recognized as active by the application.
+ \begin{result}
+ Since the session ids come directly from \PHP{}'s session management functionality, only ids generated by \PHP{} will be accepted by the application.
+ \end{result}
+
}
\item
\begin{result}
The session ids are generated by \PHP{} trough the \code{session\_start}
function. These are indeed sufficiently long, random and unique. There are
- no known attacks against these session ID's.
+ no known attacks against these session IDs.
\end{result}
\fail{}
Verify that session ids stored in cookies have their path set to an
appropriately restrictive value for the application, and authentication
- session tokens additionally set the “HttpOnly” and “secure” attributes.
+ session tokens additionally set the \code{HttpOnly} and \code{secure} attributes.
\begin{result}
- There is just one cookie for tha application and it's path includes the whole
- site. However this seems appropriate. The ``HttpOnly'' and ``secure''
+ There is just one cookie for the application and it's path includes the whole
+ site. However this seems appropriate. The \code{HttpOnly} and \code{secure}
attributes are not set for this cookie.
\end{result}
+ \setcounter{enumi}{15}
\item
\pass{}
Verify that the application limits the number of active concurrent sessions.
session.
\begin{result}
There is no indication whatsoever of any other active sessions a user may
- have open
+ have open.
\end{result}
\item
Verify the user is prompted with the option to terminate all other active
sessions after a successful change password process.
\begin{result}
- There is no such option, also notqeable is that there is no confirmation for
+ There is no such option, also notable is that there is no confirmation for
the password change.
\end{result}