X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv3_session.tex;h=712b717af7c934714b5830f6ee2896644a958e5e;hb=7b4f3b58aaa2b1f15acaacfb28f5ce20903f7c5e;hp=d1a02b489c0bc8e6fcc8933b604e027cdd01865e;hpb=67f014d95fdc06c3170f805afae6a48fa101bb3f;p=ssproject1617.git

diff --git a/report/v3_session.tex b/report/v3_session.tex
index d1a02b4..712b717 100644
--- a/report/v3_session.tex
+++ b/report/v3_session.tex
@@ -52,7 +52,7 @@
     \begin{result}
       The session id is only used inside the cookie. And the \PHP{}
       \code{\$\_SESSION} variable is never accessed outside of session
-      management in \srcref{sessions.php}{}.
+      management in \code{sessions.php}.
     \end{result}
 
 
@@ -63,14 +63,18 @@
     \begin{result}
     The application does not destroy the session id upon logout, it merely
       invalidates it. However \PHP{}'s session managements automatically
-      invalides these session id's after some time. % Discuss?
+      invalidates the session id after some time. % Discuss?
     \end{result}
 
 
-  \notapplicable{%
+  \setcounter{enumi}{9}
       \item
     Verify that only session ids generated by the application framework are
     recognized as active by the application.
+    \begin{result}
+    Since the session ids come directly from \PHP{}'s session management functionality, only ids generated by \PHP{} will be accepted by the application.
+    \end{result}
+    
   }
 
     \item
@@ -80,7 +84,7 @@
     \begin{result}
       The session ids are generated by \PHP{} trough the \code{session\_start}
       function. These are indeed sufficiently long, random and unique. There are
-      no known attacks against these session ID's.
+      no known attacks against these session IDs.
     \end{result}
 
 
@@ -88,14 +92,15 @@
       \fail{}
     Verify that session ids stored in cookies have their path set to an
     appropriately restrictive value for the application, and authentication
-    session tokens additionally set the “HttpOnly” and “secure” attributes.
+    session tokens additionally set the \code{HttpOnly} and \code{secure} attributes.
     \begin{result}
-    There is just one cookie for tha application and it's path includes the whole
-      site. However this seems appropriate. The ``HttpOnly'' and ``secure''
+    There is just one cookie for the application and it's path includes the whole
+      site. However this seems appropriate. The \code{HttpOnly} and \code{secure}
       attributes are not set for this cookie.
     \end{result}
 
 
+    \setcounter{enumi}{15}
     \item
       \pass{}
     Verify that the application limits the number of active concurrent sessions.
@@ -111,7 +116,7 @@
     session.
     \begin{result}
     There is no indication whatsoever of any other active sessions a user may
-      have open
+      have open.
     \end{result}
 
     \item
@@ -119,7 +124,7 @@
     Verify the user is prompted with the option to terminate all other active
     sessions after a successful change password process.
     \begin{result}
-    There is no such option, also notqeable is that there is no confirmation for
+    There is no such option, also notable is that there is no confirmation for
       the password change.
     \end{result}