X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv3_session.tex;h=712b717af7c934714b5830f6ee2896644a958e5e;hb=7b4f3b58aaa2b1f15acaacfb28f5ce20903f7c5e;hp=b2fa838f071066f3766d74a497db6537ec093f3b;hpb=e251c8ef73e9b9c5703aef88a0c97fe0c0f704d8;p=ssproject1617.git diff --git a/report/v3_session.tex b/report/v3_session.tex index b2fa838..712b717 100644 --- a/report/v3_session.tex +++ b/report/v3_session.tex @@ -1,4 +1,4 @@ -\begin{enumerate}[label={3.\arabic*}] +\begin{enumerate}[label={V3.\arabic*}] \item \pass{} @@ -40,7 +40,7 @@ \begin{result} The logout functionality is plainly visible on the top right of the application on every page that requires authentication. This is defined in - \srcref{admin/themes/header.php}{16-30} + \srcref{admin/themes/header.php}{16{-}30} \end{result} @@ -52,7 +52,7 @@ \begin{result} The session id is only used inside the cookie. And the \PHP{} \code{\$\_SESSION} variable is never accessed outside of session - management in \srcref{sessions.php}{}. + management in \code{sessions.php}. \end{result} @@ -63,14 +63,18 @@ \begin{result} The application does not destroy the session id upon logout, it merely invalidates it. However \PHP{}'s session managements automatically - invalides these session id's after some time. % Discuss? + invalidates the session id after some time. % Discuss? \end{result} - \notapplicable{% + \setcounter{enumi}{9} \item Verify that only session ids generated by the application framework are recognized as active by the application. + \begin{result} + Since the session ids come directly from \PHP{}'s session management functionality, only ids generated by \PHP{} will be accepted by the application. + \end{result} + } \item @@ -80,7 +84,7 @@ \begin{result} The session ids are generated by \PHP{} trough the \code{session\_start} function. These are indeed sufficiently long, random and unique. There are - no known attacks against these session ID's. + no known attacks against these session IDs. \end{result} @@ -88,14 +92,15 @@ \fail{} Verify that session ids stored in cookies have their path set to an appropriately restrictive value for the application, and authentication - session tokens additionally set the “HttpOnly” and “secure” attributes. + session tokens additionally set the \code{HttpOnly} and \code{secure} attributes. \begin{result} - There is just one cookie for tha application and it's path includes the whole - site. However this seems appropriate. The "HttpOnly" and "secure" + There is just one cookie for the application and it's path includes the whole + site. However this seems appropriate. The \code{HttpOnly} and \code{secure} attributes are not set for this cookie. \end{result} + \setcounter{enumi}{15} \item \pass{} Verify that the application limits the number of active concurrent sessions. @@ -111,7 +116,7 @@ session. \begin{result} There is no indication whatsoever of any other active sessions a user may - have open + have open. \end{result} \item @@ -119,7 +124,7 @@ Verify the user is prompted with the option to terminate all other active sessions after a successful change password process. \begin{result} - There is no such option, also notqeable is that there is no confirmation for + There is no such option, also notable is that there is no confirmation for the password change. \end{result}