X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv3_session.tex;h=de653124f172d2bd1105a323ee975ce67eb9dadc;hb=a3400d1700e841084471bd01f91ddf9234c9413f;hp=d6dab6cea5a4d522ec084a8d05debae79282c95d;hpb=a06f593282947a490cc23d1186eddfdd4774f790;p=ssproject1617.git diff --git a/report/v3_session.tex b/report/v3_session.tex index d6dab6c..de65312 100644 --- a/report/v3_session.tex +++ b/report/v3_session.tex @@ -1,4 +1,4 @@ -\begin{enumerate}[label={3.\arabic*}] +\begin{enumerate}[label={V3.\arabic*}] \item \pass{} @@ -40,7 +40,7 @@ \begin{result} The logout functionality is plainly visible on the top right of the application on every page that requires authentication. This is defined in - \srcref{admin/themes/header.php}{16-30} + \srcref{admin/themes/header.php}{16{-}30} \end{result} @@ -52,55 +52,77 @@ \begin{result} The session id is only used inside the cookie. And the \PHP{} \code{\$\_SESSION} variable is never accessed outside of session - management in \srcref{sessions.php}{}. + management in \code{sessions.php}. \end{result} \item - \fail{} + \fail{} Verify that all successful authentication and re-authentication generates a new session and session id. \begin{result} The application does not destroy the session id upon logout, it merely - invalidates it. \PHP{}'s % HOWEVER! + invalidates it. However \PHP{}'s session managements automatically + invalidates the session id after some time. % Discuss? \end{result} + \setcounter{enumi}{9} \notapplicable{% - \item + \item Verify that only session ids generated by the application framework are recognized as active by the application. } \item - \pass{} + \pass{} Verify that session ids are sufficiently long, random and unique across the correct active session base. \begin{result} The session ids are generated by \PHP{} trough the \code{session\_start} - function. These are indeed sufficiently long, random and unique. + function. These are indeed sufficiently long, random and unique. There are + no known attacks against these session IDs. \end{result} \item - \TODO{} + \fail{} Verify that session ids stored in cookies have their path set to an appropriately restrictive value for the application, and authentication - session tokens additionally set the “HttpOnly” and “secure” attributes. + session tokens additionally set the \code{HttpOnly} and \code{secure} attributes. + \begin{result} + There is just one cookie for the application and it's path includes the whole + site. However this seems appropriate. The \code{HttpOnly} and \code{secure} + attributes are not set for this cookie. + \end{result} + + \setcounter{enumi}{15} \item - \TODO{} + \pass{} Verify that the application limits the number of active concurrent sessions. + \begin{result} + By using \PHP{}'s session handling mechanism the application limits the + number of active concurrent sessions adequately. + \end{result} \item - \TODO{} + \fail{} Verify that an active session list is displayed in the account profile or similar of each user. The user should be able to terminate any active session. + \begin{result} + There is no indication whatsoever of any other active sessions a user may + have open. + \end{result} \item - \TODO{} + \fail{} Verify the user is prompted with the option to terminate all other active sessions after a successful change password process. + \begin{result} + There is no such option, also notable is that there is no confirmation for + the password change. + \end{result} \end{enumerate}