\item
- \fail{}
+ \fail{}
Verify that all successful authentication and re-authentication generates
a new session and session id.
\begin{result}
The application does not destroy the session id upon logout, it merely
- invalidates it. \PHP{}'s % HOWEVER!
+ invalidates it. However \PHP{}'s session managements automatically
+ invalides these session id's after some time. % Discuss?
\end{result}
\notapplicable{%
- \item
+ \item
Verify that only session ids generated by the application framework are
recognized as active by the application.
}
\item
- \pass{}
+ \pass{}
Verify that session ids are sufficiently long, random and unique across the
correct active session base.
\begin{result}
The session ids are generated by \PHP{} trough the \code{session\_start}
- function. These are indeed sufficiently long, random and unique.
+ function. These are indeed sufficiently long, random and unique. There are
+ no known attacks against these session ID's.
\end{result}
\item
- \TODO{}
+ \fail{}
Verify that session ids stored in cookies have their path set to an
appropriately restrictive value for the application, and authentication
session tokens additionally set the “HttpOnly” and “secure” attributes.
+ \begin{result}
+ There is just one cookie for tha application and it's path includes the whole
+ site. However this seems appropriate. The "HttpOnly" and "secure"
+ attributes are not set for this cookie.
+ \end{result}
+
\item
- \TODO{}
+ \pass{}
Verify that the application limits the number of active concurrent sessions.
+ \begin{result}
+ By using \PHP{}'s session handling mechanism the application limits the
+ number of active concurrent sessions adequately.
+ \end{result}
\item
- \TODO{}
+ \fail{}
Verify that an active session list is displayed in the account profile or
similar of each user. The user should be able to terminate any active
session.
+ \begin{result}
+ There is no indication whatsoever of any other active sessions a user may
+ have open
+ \end{result}
\item
- \TODO{}
+ \fail{}
Verify the user is prompted with the option to terminate all other active
sessions after a successful change password process.
+ \begin{result}
+ There is no such option, also notqeable is that there is no confirmation for
+ the password change.
+ \end{result}
\end{enumerate}