Im wondering how many of you are taking into consideration about these
standarts? It seems nice guideline but some of the requirements are seem
non-important to me. Are all of these really fatal ?
And i have some questions about some of the requirements here,
- Verify that sessions timeout after an administratively-configurable
maximum time period regardless of activity (an absolute timeout). (Why ?)
- Verify that the application limits the number of active concurrent
sessions. (why and how?)
- Verify that all successful authentication and re-authentication
generates a new session and session id. (i believe php server is
handling that)
- Verify that session ids are sufficiently long, random and unique
across the correct active session base. (is php's default session ids
are enough for this?)
Thanks
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
