\begin{enumerate}[label={3.\arabic*}]
\item
- \pass
+ \pass{}
Verify that there is no custom session manager, or that the custom session
manager is resistant against all common session management attacks.
\begin{result}
- The application uses the standard \PHP functionality;
- \code{session_start()} to manage sessions.
+ The application uses the standard \PHP{} functionality; namely
+ \code{session\_start ()} to manage sessions.
\end{result}
\item
- \pass
+ \pass{}
Verify that sessions are invalidated when the user logs out.
\begin{result}
- When a user logs out the application calls \code{forget()}, which destroys
- the session.
+ When a user logs out the application calls \code{forget()}, which
+ invalidates the session.
\end{result}
\item
- \fail
+ \fail{}
Verify that sessions timeout after a specified period of inactivity.
\begin{result}
- There is no functionality which tracks how long a user has been inactive.
+ There is absolutely no functionality which tracks how long a user has been inactive.
\end{result}
- \notapplicable{
+ \notapplicable{%
\item
Verify that sessions timeout after an administratively-configurable
maximum time period regardless of activity (an absolute timeout).
}
\item
- \TODO{}
+ \pass{}
Verify that all pages that require authentication have easy and visible
access to logout functionality.
+ \begin{result}
+ The logout functionality is plainly visible on the top right of the
+ application on every page that requires authentication. This is defined in
+ \srcref{admin/themes/header.php}{16-30}
+ \end{result}
+
\item
- \TODO{}
+ \pass{}
Verify that the session id is never disclosed in URLs, error messages, or
logs. This includes verifying that the application does not support URL
rewriting of session cookies.
+ \begin{result}
+ The session id is only used inside the cookie. And the \PHP{}
+ \code{\$\_SESSION} variable is never accessed outside of session
+ management in \srcref{sessions.php}{}.
+ \end{result}
+
\item
- \TODO{}
+ \fail{}
Verify that all successful authentication and re-authentication generates
a new session and session id.
+ \begin{result}
+ The application does not destroy the session id upon logout, it merely
+ invalidates it. \PHP{}'s % HOWEVER!
+ \end{result}
+
- \notapplicable{
+ \notapplicable{%
\item
Verify that only session ids generated by the application framework are
recognized as active by the application.
}
\item
- \TODO{}
+ \pass{}
Verify that session ids are sufficiently long, random and unique across the
correct active session base.
+ \begin{result}
+ The session ids are generated by \PHP{} trough the \code{session\_start}
+ function. These are indeed sufficiently long, random and unique.
+ \end{result}
+
\item
\TODO{}
repositories / ssproject1617.git / commitdiff