X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv3_session.tex;h=fc9cd6c0415dcd24064559f2098cc993105dd957;hb=06d7ae862f750a89968a0c7c2104b133e801d3a5;hp=5b1f207fd4d445e1bb73290a1b1c26d55f086c0b;hpb=a96b8664d0a69c379e356c4ca606772373f5d108;p=ssproject1617.git

diff --git a/report/v3_session.tex b/report/v3_session.tex
index 5b1f207..fc9cd6c 100644
--- a/report/v3_session.tex
+++ b/report/v3_session.tex
@@ -1,84 +1,126 @@
-\begin{enumerate}[label={3.\arabic*}]
+\begin{enumerate}[label={V3.\arabic*}]
 
     \item
-    \pass
+      \pass{}
     Verify that there is no custom session manager, or that the custom session
     manager is resistant against all common session management attacks.
     \begin{result}
-      The application uses the standard \PHP functionality;
-      \code{session_start()} to manage sessions.
+      The application uses the standard \PHP{} functionality; namely
+      \code{session\_start ()} to manage sessions.
     \end{result}
 
 
     \item
-    \pass
+      \pass{}
     Verify that sessions are invalidated when the user logs out.
     \begin{result}
-      When a user logs out the application calls \code{forget()}, which destroys
-      the session.
+      When a user logs out the application calls \code{forget()}, which
+      invalidates the session.
     \end{result}
 
 
     \item
-    \fail
+      \fail{}
     Verify that sessions timeout after a specified period of inactivity.
     \begin{result}
-    There is no functionality which tracks how long a user has been inactive.
+    There is absolutely no functionality which tracks how long a user has been inactive.
     \end{result}
 
 
-  \notapplicable{
+  \notapplicable{%
     \item
     Verify that sessions timeout after an administratively-configurable
     maximum time period regardless of activity (an absolute timeout).
   }
 
     \item
-    \TODO{}
+      \pass{}
     Verify that all pages that require authentication have easy and visible
     access to logout functionality.
+    \begin{result}
+    The logout functionality is plainly visible on the top right of the
+      application on every page that requires authentication. This is defined in
+      \srcref{admin/themes/header.php}{16-30}
+    \end{result}
+
 
     \item
-    \TODO{}
+      \pass{}
     Verify that the session id is never disclosed in URLs, error messages, or
     logs. This includes verifying that the application does not support URL
     rewriting of session cookies.
+    \begin{result}
+      The session id is only used inside the cookie. And the \PHP{}
+      \code{\$\_SESSION} variable is never accessed outside of session
+      management in \srcref{sessions.php}{}.
+    \end{result}
+
 
     \item
-    \TODO{}
+      \fail{}
     Verify that all successful authentication and re-authentication generates
     a new session and session id.
+    \begin{result}
+    The application does not destroy the session id upon logout, it merely
+      invalidates it. However \PHP{}'s session managements automatically
+      invalides these session id's after some time. % Discuss?
+    \end{result}
 
-  \notapplicable{
-    \item
+
+  \notapplicable{%
+      \item
     Verify that only session ids generated by the application framework are
     recognized as active by the application.
   }
 
     \item
-    \TODO{}
+      \pass{}
     Verify that session ids are sufficiently long, random and unique across the
     correct active session base.
+    \begin{result}
+      The session ids are generated by \PHP{} trough the \code{session\_start}
+      function. These are indeed sufficiently long, random and unique. There are
+      no known attacks against these session ID's.
+    \end{result}
+
 
     \item
-    \TODO{}
+      \fail{}
     Verify that session ids stored in cookies have their path set to an
     appropriately restrictive value for the application, and authentication
     session tokens additionally set the âHttpOnlyâ and âsecureâ attributes.
+    \begin{result}
+    There is just one cookie for tha application and it's path includes the whole
+      site. However this seems appropriate. The "HttpOnly" and "secure"
+      attributes are not set for this cookie.
+    \end{result}
+
 
     \item
-    \TODO{}
+      \pass{}
     Verify that the application limits the number of active concurrent sessions.
+    \begin{result}
+      By using \PHP{}'s session handling mechanism the application limits the
+      number of active concurrent sessions adequately.
+    \end{result}
 
     \item
-    \TODO{}
+      \fail{}
     Verify that an active session list is displayed in the account profile or
     similar of each user. The user should be able to terminate any active
     session.
+    \begin{result}
+    There is no indication whatsoever of any other active sessions a user may
+      have open
+    \end{result}
 
     \item
-    \TODO{}
+      \fail{}
     Verify the user is prompted with the option to terminate all other active
     sessions after a successful change password process.
+    \begin{result}
+    There is no such option, also notaeable is that there is no confirmation for
+      the password change.
+    \end{result}
 
 \end{enumerate}