repositories
/
ssproject1617.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
a06f593
)
v3 first version done
author
W
<kuhnen@science.ru.nl>
Wed, 9 Nov 2016 10:45:42 +0000
(11:45 +0100)
committer
W
<kuhnen@science.ru.nl>
Wed, 9 Nov 2016 10:45:42 +0000
(11:45 +0100)
report/v3_session.tex
patch
|
blob
|
history
diff --git
a/report/v3_session.tex
b/report/v3_session.tex
index
d6dab6c
..
b2fa838
100644
(file)
--- a/
report/v3_session.tex
+++ b/
report/v3_session.tex
@@
-57,50
+57,70
@@
\item
\item
- \fail{}
+
\fail{}
Verify that all successful authentication and re-authentication generates
a new session and session id.
\begin{result}
The application does not destroy the session id upon logout, it merely
Verify that all successful authentication and re-authentication generates
a new session and session id.
\begin{result}
The application does not destroy the session id upon logout, it merely
- invalidates it. \PHP{}'s % HOWEVER!
+ invalidates it. However \PHP{}'s session managements automatically
+ invalides these session id's after some time. % Discuss?
\end{result}
\notapplicable{%
\end{result}
\notapplicable{%
- \item
+
\item
Verify that only session ids generated by the application framework are
recognized as active by the application.
}
\item
Verify that only session ids generated by the application framework are
recognized as active by the application.
}
\item
- \pass{}
+
\pass{}
Verify that session ids are sufficiently long, random and unique across the
correct active session base.
\begin{result}
The session ids are generated by \PHP{} trough the \code{session\_start}
Verify that session ids are sufficiently long, random and unique across the
correct active session base.
\begin{result}
The session ids are generated by \PHP{} trough the \code{session\_start}
- function. These are indeed sufficiently long, random and unique.
+ function. These are indeed sufficiently long, random and unique. There are
+ no known attacks against these session ID's.
\end{result}
\item
\end{result}
\item
-
\TODO
{}
+
\fail
{}
Verify that session ids stored in cookies have their path set to an
appropriately restrictive value for the application, and authentication
session tokens additionally set the “HttpOnly” and “secure” attributes.
Verify that session ids stored in cookies have their path set to an
appropriately restrictive value for the application, and authentication
session tokens additionally set the “HttpOnly” and “secure” attributes.
+ \begin{result}
+ There is just one cookie for tha application and it's path includes the whole
+ site. However this seems appropriate. The "HttpOnly" and "secure"
+ attributes are not set for this cookie.
+ \end{result}
+
\item
\item
-
\TODO
{}
+
\pass
{}
Verify that the application limits the number of active concurrent sessions.
Verify that the application limits the number of active concurrent sessions.
+ \begin{result}
+ By using \PHP{}'s session handling mechanism the application limits the
+ number of active concurrent sessions adequately.
+ \end{result}
\item
\item
-
\TODO
{}
+
\fail
{}
Verify that an active session list is displayed in the account profile or
similar of each user. The user should be able to terminate any active
session.
Verify that an active session list is displayed in the account profile or
similar of each user. The user should be able to terminate any active
session.
+ \begin{result}
+ There is no indication whatsoever of any other active sessions a user may
+ have open
+ \end{result}
\item
\item
-
\TODO
{}
+
\fail
{}
Verify the user is prompted with the option to terminate all other active
sessions after a successful change password process.
Verify the user is prompted with the option to terminate all other active
sessions after a successful change password process.
+ \begin{result}
+ There is no such option, also notqeable is that there is no confirmation for
+ the password change.
+ \end{result}
\end{enumerate}
\end{enumerate}
repositories / ssproject1617.git / commitdiff