From: W Date: Mon, 24 Oct 2016 14:58:13 +0000 (+0200) Subject: work on v3 X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=a06f593282947a490cc23d1186eddfdd4774f790;p=ssproject1617.git work on v3 --- diff --git a/report/v3_session.tex b/report/v3_session.tex index 5b1f207..d6dab6c 100644 --- a/report/v3_session.tex +++ b/report/v3_session.tex @@ -1,64 +1,86 @@ \begin{enumerate}[label={3.\arabic*}] \item - \pass + \pass{} Verify that there is no custom session manager, or that the custom session manager is resistant against all common session management attacks. \begin{result} - The application uses the standard \PHP functionality; - \code{session_start()} to manage sessions. + The application uses the standard \PHP{} functionality; namely + \code{session\_start ()} to manage sessions. \end{result} \item - \pass + \pass{} Verify that sessions are invalidated when the user logs out. \begin{result} - When a user logs out the application calls \code{forget()}, which destroys - the session. + When a user logs out the application calls \code{forget()}, which + invalidates the session. \end{result} \item - \fail + \fail{} Verify that sessions timeout after a specified period of inactivity. \begin{result} - There is no functionality which tracks how long a user has been inactive. + There is absolutely no functionality which tracks how long a user has been inactive. \end{result} - \notapplicable{ + \notapplicable{% \item Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout). } \item - \TODO{} + \pass{} Verify that all pages that require authentication have easy and visible access to logout functionality. + \begin{result} + The logout functionality is plainly visible on the top right of the + application on every page that requires authentication. This is defined in + \srcref{admin/themes/header.php}{16-30} + \end{result} + \item - \TODO{} + \pass{} Verify that the session id is never disclosed in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies. + \begin{result} + The session id is only used inside the cookie. And the \PHP{} + \code{\$\_SESSION} variable is never accessed outside of session + management in \srcref{sessions.php}{}. + \end{result} + \item - \TODO{} + \fail{} Verify that all successful authentication and re-authentication generates a new session and session id. + \begin{result} + The application does not destroy the session id upon logout, it merely + invalidates it. \PHP{}'s % HOWEVER! + \end{result} + - \notapplicable{ + \notapplicable{% \item Verify that only session ids generated by the application framework are recognized as active by the application. } \item - \TODO{} + \pass{} Verify that session ids are sufficiently long, random and unique across the correct active session base. + \begin{result} + The session ids are generated by \PHP{} trough the \code{session\_start} + function. These are indeed sufficiently long, random and unique. + \end{result} + \item \TODO{} diff --git a/report/v7_cryptography.tex b/report/v7_cryptography.tex index b2a3876..293dd19 100644 --- a/report/v7_cryptography.tex +++ b/report/v7_cryptography.tex @@ -1,3 +1,4 @@ +% usage of crypt() \begin{enumerate}[label={7.\arabic*}] \addtocounter{enumi}{1}