We are setting up our sites for PCI compliance and a third party (securitymetrics) is evaluating our sites and returning this issue
"Synopsis : The remote web server generates predictable session IDs. Description : The remote web server generates a session ID for each connection. A session ID is typically used to keep track of the actions of a user while he visits a web site. The remote server generates non-random session IDs. An attacker might use this flaw to guess the session IDs of other users and therefore steal their session. See also : http://pdos.csail.mit.edu/cookies/seq_se ssionid.html Solution: Configure the remote site and CGIs so as to use random session IDs. Risk Factor: Medium / CVSS Base Score : 6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)" This report shows up for CF sites. It is generated by the scans we are doing for PCI compliance, which means it HAS to be fixed. After doing a bit of research I'm finding the CFID will always be sequential no matter what you set up on the server but that isn't the only thing that sessions rely on. (They also rely on cftoken which is randomized) I thought by changing to JSESSIONID that would solve the issue. But further research determined this was a terrible idea as we have a number of sites that rely on client variable state and newer sites that use session state variables (and a disturbing few that use both) So I want to help the infrastructure folks with this and be able to articulate either that CF sessions rely on both CFID and CFTOKEN and since one is randomized that we meet the requirements, or learn a way to set it up so that the sites pass the test. Does anyone have a solution for this. Has anyone encountered this issue before? Anything that could help would be appreciated -- Joshua O'Connor-Rose -All is Good ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:318878 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
