ATM_ID: 51037D02-073A-11E9-828D-3D812412F61E

MFF:

PLANNEDTIMESTAFF:

ID: DPQA_NewFeature/CS2.0/FT-24707_Session_Hijack_prevention/122032

TESTCASE_HEADLINE: To Validate that the device accepts the Logged-in user "PHPSESSID" session ID cookie when injected/used to access the same logged-in user accessibility web page if the logged-in user is already logged-in in CWIS.

GROUP:

FEATURE:

SUB_FEATURE:

INPUT: <p>1.Make sure that two device is available for this test.<br />
2.Make sure that the device/local user (Ex: Test) without admin rights is created in the device via properties--Login/Permission/Accounting--Device user Database.</p>

PROCEDURE: <p>Scenario 1:<br />
1.Open CWIS in any browser --login with created device user (Test)--select Address book/scan tab to see the message "Only users with admin privileges can modify settings".<br />
2.Go to browser settings--content settings--select cookies--select See all cookies and site data--select the corresponding device ip--Expand the "PHPSESSID" and copy the unique ID under content (ex:3abc5734c67bc04a691b43a328c627a4).<br />
3.Right click in the CWIS page--Select Inspect--go to console and manually inject the admin user unique identifier like as document. Cookie="session ID cookie =unique Identifier for the logged-in user " (For Ex:  document. Cookie="PHPSESSID=3abc5734c67bc04a691b43a328c627a4") and Press Enter.<br />
4.Refresh the Webpage or select any other tab (like Scan   properties etc.  ) and check the result.<br />
Scenario 2:(Different device CWIS)<br />
4.Repeat step 1 and 2 to take the device 1  logged-in user session Cookie ID.<br />
5.Now open the Device 2 CWIS in new tab in the same browser or different browser---login with created device user (Test)--select Address book/scan tab to see the message "Only users with admin privileges can modify settings".<br />
6.Repeat the step 3 and 4 to check the result.<br />
Scenario 3: (Different PC)<br />\
PC1:<br />
7.Repeat step 1 and 2 to take the device 1 logged-in user session Cookie ID.<br />\
PC2:<br />
8.In PC2   Open the device 2 CWIS in any browser---login with created device user (Test)--select Address book/scan tab to see the message "Only users with admin privileges can modify settings".<br />
9.Repeat step 3 and 4 to check the result. </p>

OUTPUT: <p>The device should stay in the current user session and it should not logout but it force the user to logout the session (user should not be able to see anything in that particular webpage session).If we access the other CWIS page then the  user should not be logged out from the CWIS. </p>

PROCESS:

PRIORITY:

TEST_TYPE:

LOE:

RESOURCE_HW:

RESOURCE_CONSUMEABLES:

RESOURCE_MEDIA:

SKILL_SET:

TEST_CASE_TYPE:

TESTCASE_SOURCE:

SPEC: FS 50.110 WebUI Security

SPEC_VERSION:

SPEC_TAG: [50.110.004] (FT-24707) [D4.0M-*] After an HTTP session has been established between a client and the device, the device shall verify that each packet received in that session shall originate from the same agent that established the session.\
Note: The IP address of the client and user agent identifier, could as example, be used for verification.

ATM_OWNER:

APPROVE_QE:

APPROVED_QE:

APPROVE_SE:

APPROVED_SE:

APPROVE_SPAR:

APPROVED_SPAR:

ASSOCIATED_TESTCASES:

TRAINING:

TESTCASE_VERSION:

TESTCASE_STATE:

TESTCASE_PLATFORM:

TESTCASE_PRODUCT:

TESTCASE_APPROVALS:

CDATE: 1545628266

MDATE: 1545628266

MUSER: q4BVX0J1

AUTHOR: q4BVX0J1

ATM_MCOMMENTS: Imported from spreadsheet

HISTORY:

ATM_LOCKED:

ATM_REQLINK: 8EFC6B56-F7B7-11E8-9DF0-573A2612F61E

ATM_REQCOUNT: 1

QA_TEAM:

TC_WEIGHTAGE:

FILENAME:

FILEDESC:

FILES: