X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv3_session.tex;h=de653124f172d2bd1105a323ee975ce67eb9dadc;hb=a3400d1700e841084471bd01f91ddf9234c9413f;hp=fc9cd6c0415dcd24064559f2098cc993105dd957;hpb=06d7ae862f750a89968a0c7c2104b133e801d3a5;p=ssproject1617.git

diff --git a/report/v3_session.tex b/report/v3_session.tex
index fc9cd6c..de65312 100644
--- a/report/v3_session.tex
+++ b/report/v3_session.tex
@@ -40,7 +40,7 @@
     \begin{result}
     The logout functionality is plainly visible on the top right of the
       application on every page that requires authentication. This is defined in
-      \srcref{admin/themes/header.php}{16-30}
+		\srcref{admin/themes/header.php}{16{-}30}
     \end{result}
 
 
@@ -52,7 +52,7 @@
     \begin{result}
       The session id is only used inside the cookie. And the \PHP{}
       \code{\$\_SESSION} variable is never accessed outside of session
-      management in \srcref{sessions.php}{}.
+      management in \code{sessions.php}.
     \end{result}
 
 
@@ -63,10 +63,11 @@
     \begin{result}
     The application does not destroy the session id upon logout, it merely
       invalidates it. However \PHP{}'s session managements automatically
-      invalides these session id's after some time. % Discuss?
+      invalidates the session id after some time. % Discuss?
     \end{result}
 
 
+  \setcounter{enumi}{9}
   \notapplicable{%
       \item
     Verify that only session ids generated by the application framework are
@@ -80,7 +81,7 @@
     \begin{result}
       The session ids are generated by \PHP{} trough the \code{session\_start}
       function. These are indeed sufficiently long, random and unique. There are
-      no known attacks against these session ID's.
+      no known attacks against these session IDs.
     \end{result}
 
 
@@ -88,14 +89,15 @@
       \fail{}
     Verify that session ids stored in cookies have their path set to an
     appropriately restrictive value for the application, and authentication
-    session tokens additionally set the “HttpOnly” and “secure” attributes.
+    session tokens additionally set the \code{HttpOnly} and \code{secure} attributes.
     \begin{result}
-    There is just one cookie for tha application and it's path includes the whole
-      site. However this seems appropriate. The "HttpOnly" and "secure"
+    There is just one cookie for the application and it's path includes the whole
+      site. However this seems appropriate. The \code{HttpOnly} and \code{secure}
       attributes are not set for this cookie.
     \end{result}
 
 
+    \setcounter{enumi}{15}
     \item
       \pass{}
     Verify that the application limits the number of active concurrent sessions.
@@ -111,7 +113,7 @@
     session.
     \begin{result}
     There is no indication whatsoever of any other active sessions a user may
-      have open
+      have open.
     \end{result}
 
     \item
@@ -119,7 +121,7 @@
     Verify the user is prompted with the option to terminate all other active
     sessions after a successful change password process.
     \begin{result}
-    There is no such option, also notaeable is that there is no confirmation for
+    There is no such option, also notable is that there is no confirmation for
       the password change.
     \end{result}