X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv3_session.tex;h=4decd565494a757f8f8acfe1a15602f0ef5bf94e;hb=37c1ce0fc9ce34e0629c0b4384edfbc1297f3e79;hp=d6dab6cea5a4d522ec084a8d05debae79282c95d;hpb=a06f593282947a490cc23d1186eddfdd4774f790;p=ssproject1617.git diff --git a/report/v3_session.tex b/report/v3_session.tex index d6dab6c..4decd56 100644 --- a/report/v3_session.tex +++ b/report/v3_session.tex @@ -1,4 +1,4 @@ -\begin{enumerate}[label={3.\arabic*}] +\begin{enumerate}[label={V3.\arabic*}] \item \pass{} @@ -40,7 +40,7 @@ \begin{result} The logout functionality is plainly visible on the top right of the application on every page that requires authentication. This is defined in - \srcref{admin/themes/header.php}{16-30} + \srcref{admin/themes/header.php}{16{-}30} \end{result} @@ -57,50 +57,72 @@ \item - \fail{} + \fail{} Verify that all successful authentication and re-authentication generates a new session and session id. \begin{result} The application does not destroy the session id upon logout, it merely - invalidates it. \PHP{}'s % HOWEVER! + invalidates it. However \PHP{}'s session managements automatically + invalides these session id's after some time. % Discuss? \end{result} + \setcounter{enumi}{9} \notapplicable{% - \item + \item Verify that only session ids generated by the application framework are recognized as active by the application. } \item - \pass{} + \pass{} Verify that session ids are sufficiently long, random and unique across the correct active session base. \begin{result} The session ids are generated by \PHP{} trough the \code{session\_start} - function. These are indeed sufficiently long, random and unique. + function. These are indeed sufficiently long, random and unique. There are + no known attacks against these session ID's. \end{result} \item - \TODO{} + \fail{} Verify that session ids stored in cookies have their path set to an appropriately restrictive value for the application, and authentication session tokens additionally set the “HttpOnly” and “secure” attributes. + \begin{result} + There is just one cookie for tha application and it's path includes the whole + site. However this seems appropriate. The ``HttpOnly'' and ``secure'' + attributes are not set for this cookie. + \end{result} + + \setcounter{enumi}{15} \item - \TODO{} + \pass{} Verify that the application limits the number of active concurrent sessions. + \begin{result} + By using \PHP{}'s session handling mechanism the application limits the + number of active concurrent sessions adequately. + \end{result} \item - \TODO{} + \fail{} Verify that an active session list is displayed in the account profile or similar of each user. The user should be able to terminate any active session. + \begin{result} + There is no indication whatsoever of any other active sessions a user may + have open + \end{result} \item - \TODO{} + \fail{} Verify the user is prompted with the option to terminate all other active sessions after a successful change password process. + \begin{result} + There is no such option, also notaeable is that there is no confirmation for + the password change. + \end{result} \end{enumerate}