Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID).
-- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth <[email protected]>wrote: > > Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged > for the server(CF) using non-random session id's (CFID's). They found three > consecutive CFID'sin use. However, I noticed in the CF documentation that > CF-Tokens are random.And I opted for the long-form CF-Tokens in the > administrator. Is there a way to use random CFID's or is that what the > random CF-Tokens arefor: to provide a pair of variables, that together > satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355202 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
