Sample Requirements for an Application’s Development

draft

session management

user session inactivity timeout needs to be defined (if user always uses the thing then fine)
what about multi-sessions, can a user login twice from different IPs? do you want device logged-in management like facebook?

password policy

unless you are using an SSO e.g. CAS v5 within a tomcat container which would already comply with your policy,

compexity requirements or even forced random-generated
once password reseted, direct login? then browser does not remember updated one…
what about blocking the browser from remembering (Qualys security robot reports)?
magic login links and no passwords at all? + autologin + session never expires ?

HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun