Tell the PCI testing company that the session requires two tokens, CFID and CFTOKEN, and while one is consecutive the other is random. They will place it in their testing as an exception. We have to do this all the time with each new client <sigh> even when it is the same testing company. We have never had any trouble or blowback on this issue once we tell them.
Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com -----Original Message----- From: Rick Faircloth [mailto:[email protected]] Sent: Friday, March 29, 2013 11:49 AM To: cf-talk Subject: PCI-Compliance Ding for Non-Random CFID's Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
