Thanks for the info, Pete. That should satisfy the compliance company that ColdFusion'scombination of CFID and CF-Token are, indeed, truly randomand meets their requirements. Rick > To: cf-talk@houseoffusion.com > Subject: Re: PCI-Compliance Ding for Non-Random CFID's > Date: Mon, 1 Apr 2013 11:34:55 -0400 > From: p...@foundeo.com > > > On Fri, Mar 29, 2013 at 2:10 PM, Rick Faircloth > <r...@whitestonemedia.com>wrote: > > > > > Thanks for the reply, Pete... If I remember all of the conversation > > correctly, when we came to the "ding"for consecutive session variables, the > > scanning vendor rep did mention thefact that a CFToken was involved and > > that made a difference. I did look upthe information on this in the docs > > (CF9) and it did mention changing theCFToken to a long format (I didn't > > want to say "UUID" because, withoutlooking it up, I wasn't sure that's the > > way it was labeled). > > > Yes it is labeled use UUID for CFTOKEN in ColdFusion administrator, but it > is actually more than just a UUID in modern versions of ColdFusion, for > example it might look like this: > > 545fa4955f796cd4-AF350107-CF9E-E638-A240BBF644B48476 > ^ (Random) ^ (UUID) > > Which contains a random value (which I believe is also generated using a > secure random generator like the jsessionid) concatenated with a UUID. > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting & Products > http://hackmycf.com - Is your ColdFusion Server Secure? > http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 > minutes > > >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355212 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm