\setcounter{enumi}{9}
- \notapplicable{%
- \item
+ \item
+ \pass{}
Verify that only session ids generated by the application framework are
recognized as active by the application.
- }
+ \begin{result}
+ Since the session ids come directly from \PHP{}'s session management functionality, only ids generated by \PHP{} will be accepted by the application.
+ \end{result}
+
\item
\pass{}
\begin{result}
The session ids are generated by \PHP{} trough the \code{session\_start}
function. These are indeed sufficiently long, random and unique. There are
- no known attacks against these session ID's.
+ no known attacks against these session IDs.
\end{result}
appropriately restrictive value for the application, and authentication
session tokens additionally set the \code{HttpOnly} and \code{secure} attributes.
\begin{result}
- There is just one cookie for tha application and it's path includes the whole
+ There is just one cookie for the application and it's path includes the whole
site. However this seems appropriate. The \code{HttpOnly} and \code{secure}
attributes are not set for this cookie.
\end{result}