Web lists-archives.com

[PHP] About OWASP Application Security Verification Standards

Im wondering how many of you are taking into consideration about these standarts? It seems nice guideline but some of the requirements are seem non-important to me. Are all of these really fatal ?

And i have some questions about some of the requirements here,

- Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout). (Why ?) - Verify that the application limits the number of active concurrent sessions. (why and how?)

- Verify that all successful authentication and re-authentication generates a new session and session id. (i believe php server is handling that) - Verify that session ids are sufficiently long, random and unique across the correct active session base. (is php's default session ids are enough for this?)


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php