From: W <kuhnen@science.ru.nl>
Date: Wed, 9 Nov 2016 10:45:42 +0000 (+0100)
Subject: v3 first version done
X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=e71ae424936ecb03212e33fa41cc37451e0d6a9e;p=ssproject1617.git

v3 first version done
---

diff --git a/report/v3_session.tex b/report/v3_session.tex
index d6dab6c..b2fa838 100644
--- a/report/v3_session.tex
+++ b/report/v3_session.tex
@@ -57,50 +57,70 @@
 
 
     \item
-    \fail{}
+      \fail{}
     Verify that all successful authentication and re-authentication generates
     a new session and session id.
     \begin{result}
     The application does not destroy the session id upon logout, it merely
-      invalidates it. \PHP{}'s % HOWEVER!
+      invalidates it. However \PHP{}'s session managements automatically
+      invalides these session id's after some time. % Discuss?
     \end{result}
 
 
   \notapplicable{%
-    \item
+      \item
     Verify that only session ids generated by the application framework are
     recognized as active by the application.
   }
 
     \item
-    \pass{}
+      \pass{}
     Verify that session ids are sufficiently long, random and unique across the
     correct active session base.
     \begin{result}
       The session ids are generated by \PHP{} trough the \code{session\_start}
-      function. These are indeed sufficiently long, random and unique.
+      function. These are indeed sufficiently long, random and unique. There are
+      no known attacks against these session ID's.
     \end{result}
 
 
     \item
-    \TODO{}
+      \fail{}
     Verify that session ids stored in cookies have their path set to an
     appropriately restrictive value for the application, and authentication
     session tokens additionally set the “HttpOnly” and “secure” attributes.
+    \begin{result}
+    There is just one cookie for tha application and it's path includes the whole
+      site. However this seems appropriate. The "HttpOnly" and "secure"
+      attributes are not set for this cookie.
+    \end{result}
+
 
     \item
-    \TODO{}
+      \pass{}
     Verify that the application limits the number of active concurrent sessions.
+    \begin{result}
+      By using \PHP{}'s session handling mechanism the application limits the
+      number of active concurrent sessions adequately.
+    \end{result}
 
     \item
-    \TODO{}
+      \fail{}
     Verify that an active session list is displayed in the account profile or
     similar of each user. The user should be able to terminate any active
     session.
+    \begin{result}
+    There is no indication whatsoever of any other active sessions a user may
+      have open
+    \end{result}
 
     \item
-    \TODO{}
+      \fail{}
     Verify the user is prompted with the option to terminate all other active
     sessions after a successful change password process.
+    \begin{result}
+    There is no such option, also notqeable is that there is no confirmation for
+      the password change.
+    \end{result}
 
 \end{enumerate}