Q1: Are the login credentials only sent using the HTTP POST method, and does the server allow the HTTP GET method to be used to send login credentials or not?
==> Authentication is done only with POST method, HTTP GET method for login is not supported.
Q2: Are all the authentication decisions logged including date and time, authentication source, and user name?
==> Yes, on ControlHub we have a "login Audit" that keeps the record of all the login actions and the following information: User ID, IP Address, Login Timestamp, Logout Timestamp, User Agent and if the Login was successful or not.
Q3: Are the session id’s never disclosed other than cookie headers; particularly in URLs, error messages, or client-side logs. Does this include the application not supporting URL rewriting of session cookies?
==> Correct, session Id's never disclosed other than cookie header and server logs.
Q4: Are the session ids generated by the application framework recognized as valid by the application?
==> Yes.
Q5: Do cookies which contain authenticated session tokens/IDs have their domain and path set to an appropriately restrictive value for that site?
==> Yes.
Q6: Are the concurrent sessions using the same session ID be used from more than one device or not?
==> No
Q7: Does the application provide a capability to limit the number of login sessions per user?
==> No, currently we don't limit the number of login sessions per user.
Q8: Are the sessions invalidated when the user logs out?
==> Yes, After logout, the sessionID used by that user will be inactive.
Q9: Does the session timeout after a standard period of inactivity?
==> Yes, on both ControlHub and DataCollector you can configure the timeout period after inactivity. The default is 86,400 seconds (24 hours).
Q10: Does the logout link exist on all pages post authentication?
==> After login from both ControlHub and DataCollector, you will always have in the upper-right corner the user button that will allow you to log out.
Q11: Is a new session id issued after successful authentication?
==> Yes
Q12: Is a new session id issued after successful re-authentication?
==> Yes, After a log out a new session ID is generated for that user if they log in again.
Q13: Does the session id get changed or cleared on logout?
==> Yes, it is cleared after logout.
Q14: Is the application designed to prevent SQL injection vulnerabilities?
==> Yes, in our application we use only parameterized/named queries.