Jim Harris and Jason Dean recently gave good presentations on ColdFusion security at cfmeetup. You might want to check out the recordings. http://www.meetup.com/coldfusionmeetup/messages/boards/thread/6063152
cfid and cftoken should be described in the manual, which can be found online, if you want to point people to documentation indicating that the session token is random. If you are really concerned about security then jsessionids or making your own session tracking mechanism would be a bit more secure that the default cf tokens. -Mike Chabot On Wed, Feb 4, 2009 at 10:41 AM, Joshua O'Connor-Rose <[email protected]> wrote: > > We are setting up our sites for PCI compliance and a third party > (securitymetrics) is evaluating our sites and returning this issue > > "Synopsis : The remote web server generates predictable session IDs. > Description : The remote web server generates a session ID for each > connection. A session ID is typically used to keep track of the > actions of a user while he visits a web site. The remote server > generates non-random session IDs. An attacker might use this flaw to > guess the session IDs of other users and therefore steal their > session. See also : http://pdos.csail.mit.edu/cookies/seq_se > ssionid.html Solution: Configure the remote site and CGIs so as to use > random session IDs. Risk Factor: Medium / CVSS Base Score : 6.4 > (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)" > > This report shows up for CF sites. It is generated by the scans we > are doing for PCI compliance, which means it HAS to be fixed. > > After doing a bit of research I'm finding the CFID will always be > sequential no matter what you set up on the server but that isn't the > only thing that sessions rely on. (They also rely on cftoken which is > randomized) I thought by changing to JSESSIONID that would solve the > issue. But further research determined this was a terrible idea as we > have a number of sites that rely on client variable state and newer > sites that use session state variables (and a disturbing few that use > both) > > So I want to help the infrastructure folks with this and be able to > articulate either that CF sessions rely on both CFID and CFTOKEN and > since one is randomized that we meet the requirements, or learn a way > to set it up so that the sites pass the test. > > Does anyone have a solution for this. Has anyone encountered this issue > before? > > Anything that could help would be appreciated > > > -- > Joshua O'Connor-Rose > -All is Good ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:318914 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
