> After doing a bit of research I'm finding the CFID will always be > sequential no matter what you set up on the server but that isn't the > only thing that sessions rely on. (They also rely on cftoken which is > randomized)
This is correct. The session identifier consists of both fields. I would recommend that you use UUIDs for CFTOKEN, though. > I thought by changing to JSESSIONID that would solve the > issue. But further research determined this was a terrible idea as we > have a number of sites that rely on client variable state and newer > sites that use session state variables (and a disturbing few that use > both) The new sites will be fine with JSESSIONID, then. > So I want to help the infrastructure folks with this and be able to > articulate either that CF sessions rely on both CFID and CFTOKEN and > since one is randomized that we meet the requirements, or learn a way > to set it up so that the sites pass the test. > > Does anyone have a solution for this. Has anyone encountered this issue > before? I don't really see what you can do, other than tell your auditor what you wrote here - that the session token consists of both cookies, one of which is random. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:318918 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
