> Justin, thanks for the reply, and I get your point, but I can't break out > the registration process into a standalone site quickly. There must be a > fairly quick solution to this problem. Surely, I can't be the first to > deal with this.
Another option might be to ask your scanning vendor for an exception to that scanning rule. If you can demonstrate to them that no credit card information is accessible through the user's account (e.g. the card number isn't visible anywhere, etc., and it really doesn't matter if the session is hijacked from the standpoint of credit card security) and explain the situation, they are generally willing to work with you on this kind of thing. Remember, their scanning rules are designed to cover the widest possible threat model. If you have specific needs that don't fit into that model but have compensating controls in place, it shouldn't be a problem (e.g. this used to be an issue with the incremental session IDs which the scanners check for, but paired with the random session token as a compensating control they would always make an exception for this rule when asked). -Justin Sco ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350258 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
