X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv3_session.tex;h=4decd565494a757f8f8acfe1a15602f0ef5bf94e;hb=8393e7fae8720a46bc2832b8236b766f285a784d;hp=9e066ccf8e6477f2647559742b2ab4d2221cb661;hpb=2ef9a68b3bb4325db2bfea2eb729faa03a776366;p=ssproject1617.git

diff --git a/report/v3_session.tex b/report/v3_session.tex
index 9e066cc..4decd56 100644
--- a/report/v3_session.tex
+++ b/report/v3_session.tex
@@ -1,70 +1,128 @@
-\begin{enumerate}[label={3.\arabic*}]
+\begin{enumerate}[label={V3.\arabic*}]
 
     \item
-    \TODO{}
+      \pass{}
     Verify that there is no custom session manager, or that the custom session
     manager is resistant against all common session management attacks.
+    \begin{result}
+      The application uses the standard \PHP{} functionality; namely
+      \code{session\_start ()} to manage sessions.
+    \end{result}
+
 
     \item
-    \TODO{}
+      \pass{}
     Verify that sessions are invalidated when the user logs out.
+    \begin{result}
+      When a user logs out the application calls \code{forget()}, which
+      invalidates the session.
+    \end{result}
+
 
     \item
-    \TODO{}
+      \fail{}
     Verify that sessions timeout after a specified period of inactivity.
+    \begin{result}
+    There is absolutely no functionality which tracks how long a user has been inactive.
+    \end{result}
+
 
-  \notapplicable{
+  \notapplicable{%
     \item
     Verify that sessions timeout after an administratively-configurable
     maximum time period regardless of activity (an absolute timeout).
   }
 
     \item
-    \TODO{}
+      \pass{}
     Verify that all pages that require authentication have easy and visible
     access to logout functionality.
+    \begin{result}
+    The logout functionality is plainly visible on the top right of the
+      application on every page that requires authentication. This is defined in
+		\srcref{admin/themes/header.php}{16{-}30}
+    \end{result}
+
 
     \item
-    \TODO{}
+      \pass{}
     Verify that the session id is never disclosed in URLs, error messages, or
     logs. This includes verifying that the application does not support URL
     rewriting of session cookies.
+    \begin{result}
+      The session id is only used inside the cookie. And the \PHP{}
+      \code{\$\_SESSION} variable is never accessed outside of session
+      management in \srcref{sessions.php}{}.
+    \end{result}
+
 
     \item
-    \TODO{}
+      \fail{}
     Verify that all successful authentication and re-authentication generates
     a new session and session id.
+    \begin{result}
+    The application does not destroy the session id upon logout, it merely
+      invalidates it. However \PHP{}'s session managements automatically
+      invalides these session id's after some time. % Discuss?
+    \end{result}
 
-  \notapplicable{
-    \item
+
+  \setcounter{enumi}{9}
+  \notapplicable{%
+      \item
     Verify that only session ids generated by the application framework are
     recognized as active by the application.
   }
 
     \item
-    \TODO{}
+      \pass{}
     Verify that session ids are sufficiently long, random and unique across the
     correct active session base.
+    \begin{result}
+      The session ids are generated by \PHP{} trough the \code{session\_start}
+      function. These are indeed sufficiently long, random and unique. There are
+      no known attacks against these session ID's.
+    \end{result}
+
 
     \item
-    \TODO{}
+      \fail{}
     Verify that session ids stored in cookies have their path set to an
     appropriately restrictive value for the application, and authentication
     session tokens additionally set the “HttpOnly” and “secure” attributes.
+    \begin{result}
+    There is just one cookie for tha application and it's path includes the whole
+      site. However this seems appropriate. The ``HttpOnly'' and ``secure''
+      attributes are not set for this cookie.
+    \end{result}
+
 
+    \setcounter{enumi}{15}
     \item
-    \TODO{}
+      \pass{}
     Verify that the application limits the number of active concurrent sessions.
+    \begin{result}
+      By using \PHP{}'s session handling mechanism the application limits the
+      number of active concurrent sessions adequately.
+    \end{result}
 
     \item
-    \TODO{}
+      \fail{}
     Verify that an active session list is displayed in the account profile or
     similar of each user. The user should be able to terminate any active
     session.
+    \begin{result}
+    There is no indication whatsoever of any other active sessions a user may
+      have open
+    \end{result}
 
     \item
-    \TODO{}
+      \fail{}
     Verify the user is prompted with the option to terminate all other active
     sessions after a successful change password process.
+    \begin{result}
+    There is no such option, also notaeable is that there is no confirmation for
+      the password change.
+    \end{result}
 
 \end{enumerate}