-\begin{enumerate}[label={3.\arabic*}]
+\begin{enumerate}[label={V3.\arabic*}]
\item
\pass{}
\begin{result}
The logout functionality is plainly visible on the top right of the
application on every page that requires authentication. This is defined in
- \srcref{admin/themes/header.php}{16-30}
+ \srcref{admin/themes/header.php}{16{-}30}
\end{result}
\begin{result}
The session id is only used inside the cookie. And the \PHP{}
\code{\$\_SESSION} variable is never accessed outside of session
- management in \srcref{sessions.php}{}.
+ management in \code{sessions.php}.
\end{result}
\item
- \fail{}
+ \fail{}
Verify that all successful authentication and re-authentication generates
a new session and session id.
\begin{result}
The application does not destroy the session id upon logout, it merely
- invalidates it. \PHP{}'s % HOWEVER!
+ invalidates it. However \PHP{}'s session managements automatically
+ invalidates the session id after some time. % Discuss?
\end{result}
+ \setcounter{enumi}{9}
\notapplicable{%
- \item
+ \item
Verify that only session ids generated by the application framework are
recognized as active by the application.
}
\item
- \pass{}
+ \pass{}
Verify that session ids are sufficiently long, random and unique across the
correct active session base.
\begin{result}
The session ids are generated by \PHP{} trough the \code{session\_start}
- function. These are indeed sufficiently long, random and unique.
+ function. These are indeed sufficiently long, random and unique. There are
+ no known attacks against these session IDs.
\end{result}
\item
- \TODO{}
+ \fail{}
Verify that session ids stored in cookies have their path set to an
appropriately restrictive value for the application, and authentication
- session tokens additionally set the “HttpOnly” and “secure” attributes.
+ session tokens additionally set the \code{HttpOnly} and \code{secure} attributes.
+ \begin{result}
+ There is just one cookie for the application and it's path includes the whole
+ site. However this seems appropriate. The \code{HttpOnly} and \code{secure}
+ attributes are not set for this cookie.
+ \end{result}
+
+ \setcounter{enumi}{15}
\item
- \TODO{}
+ \pass{}
Verify that the application limits the number of active concurrent sessions.
+ \begin{result}
+ By using \PHP{}'s session handling mechanism the application limits the
+ number of active concurrent sessions adequately.
+ \end{result}
\item
- \TODO{}
+ \fail{}
Verify that an active session list is displayed in the account profile or
similar of each user. The user should be able to terminate any active
session.
+ \begin{result}
+ There is no indication whatsoever of any other active sessions a user may
+ have open.
+ \end{result}
\item
- \TODO{}
+ \fail{}
Verify the user is prompted with the option to terminate all other active
sessions after a successful change password process.
+ \begin{result}
+ There is no such option, also notable is that there is no confirmation for
+ the password change.
+ \end{result}
\end{enumerate}