First of all there is a misconcpetion when it comes to session state, if you keep the session open when the browser is closed and DO NOT issue a new token then it can be hijacked by others. The other option is to use jsessionid which is the java J2EE implentation, and is actually a better alternative.
Also there is an option in the Admin to use GUID for CFID / CFToken, however this will still suffer from the same problem. It all boils down to how and what you stick in a session / client variable. The best trick is to always issue a new token if they are not signed in, whether it be a GUID version or standard CFID /CFToken. On Thu, Feb 5, 2009 at 2:41 AM, Joshua O'Connor-Rose < [email protected]> wrote: > > We are setting up our sites for PCI compliance and a third party > (securitymetrics) is evaluating our sites and returning this issue > > "Synopsis : The remote web server generates predictable session IDs. > Description : The remote web server generates a session ID for each > connection. A session ID is typically used to keep track of the > actions of a user while he visits a web site. The remote server > generates non-random session IDs. An attacker might use this flaw to > guess the session IDs of other users and therefore steal their > session. See also : http://pdos.csail.mit.edu/cookies/seq_se > ssionid.html Solution: Configure the remote site and CGIs so as to use > random session IDs. Risk Factor: Medium / CVSS Base Score : 6.4 > (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)" > > This report shows up for CF sites. It is generated by the scans we > are doing for PCI compliance, which means it HAS to be fixed. > > After doing a bit of research I'm finding the CFID will always be > sequential no matter what you set up on the server but that isn't the > only thing that sessions rely on. (They also rely on cftoken which is > randomized) I thought by changing to JSESSIONID that would solve the > issue. But further research determined this was a terrible idea as we > have a number of sites that rely on client variable state and newer > sites that use session state variables (and a disturbing few that use > both) > > So I want to help the infrastructure folks with this and be able to > articulate either that CF sessions rely on both CFID and CFTOKEN and > since one is randomized that we meet the requirements, or learn a way > to set it up so that the sites pass the test. > > Does anyone have a solution for this. Has anyone encountered this issue > before? > > Anything that could help would be appreciated > > > -- > Joshua O'Connor-Rose > -All is Good > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:318913 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
