Dan,
Without wishing to repeat John's feedback, much of what was highlighted
needs to be tackled by BMC. However, there are a few items that puzzled me.
3. No session time out
The Mid Tier runs on a Java web server with the standard servlet engine
session timeout, so there is a timeout on sessions. It's set in the Mid
Tier configuration and is not per user, but Mid Tier instance wide. I
suspect it was set to a high value and hence the pen testers concluded
it wasn't set.
6. Auto-complete feature
I wasn't aware that the username/password is being stored in a cookie.
Did they tell you which one?
John
--
SSO Plugin for BMC ITSM, Dashboards, Analytics.
http://www.javasystemsolutions.com/jss/ssoplugin
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
