Re: PCI-Compliance Ding for Non-Random CFID's
On Fri, Mar 29, 2013 at 2:10 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the dingfor consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say UUID because, withoutlooking it up, I wasn't sure that's the way it was labeled). Yes it is labeled use UUID for CFTOKEN in ColdFusion administrator, but it is actually more than just a UUID in modern versions of ColdFusion, for example it might look like this: 545fa4955f796cd4-AF350107-CF9E-E638-A240BBF644B48476 ^ (Random) ^ (UUID) Which contains a random value (which I believe is also generated using a secure random generator like the jsessionid) concatenated with a UUID. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355211 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: PCI-Compliance Ding for Non-Random CFID's
Thanks for the info, Pete. That should satisfy the compliance company that ColdFusion'scombination of CFID and CF-Token are, indeed, truly randomand meets their requirements. Rick To: cf-talk@houseoffusion.com Subject: Re: PCI-Compliance Ding for Non-Random CFID's Date: Mon, 1 Apr 2013 11:34:55 -0400 From: p...@foundeo.com On Fri, Mar 29, 2013 at 2:10 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the dingfor consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say UUID because, withoutlooking it up, I wasn't sure that's the way it was labeled). Yes it is labeled use UUID for CFTOKEN in ColdFusion administrator, but it is actually more than just a UUID in modern versions of ColdFusion, for example it might look like this: 545fa4955f796cd4-AF350107-CF9E-E638-A240BBF644B48476 ^ (Random) ^ (UUID) Which contains a random value (which I believe is also generated using a secure random generator like the jsessionid) concatenated with a UUID. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355212 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Turning on use J2EE sessions will give you a cryptographically strong random token. -Cameron On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth r...@whitestonemedia.comwrote: Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355197 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random. And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens are for: to provide a pair of variables, that together satisfy randomness requirements for sessions? I don't think there's any way to control the values issued for CFID. The CFTOKEN values are random and secure if you choose that option in the CF Administrator. But I'd second Cameron's recommendation to use J2EE sessions if you can. You'll get a single token that is secure. Plus, the token will be discarded when the browser is closed. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth r...@whitestonemedia.comwrote: Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355202 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). I can second that, we've run into this before and any QSA who knows what they're doing will put an exception in place for this scenario. Frankly I'm surprised more of them haven't built this in as a rule by default when cfid and cftoken are both present. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: PCI-Compliance Ding for Non-Random CFID's
Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the dingfor consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say UUID because, withoutlooking it up, I wasn't sure that's the way it was labeled). I have changed the CFToken to the long-format, so that should satisfy thevendor. I'm working with Security Metrics, the PCI-Compliance Vendorfor TD Bank. They've been very good about going over all the technicalitiesand offering suggestions and solutions to issues, such as this one. Security Metrics has been good to work with so far and reasonably priced,so I thought I'd give them a shout-out. (btw, I own the company... no justkidding!) I have no connection to them at all. But thanks for the feedback, again, and just fyi, that's the only CF-relatedissue that came up at all in the compliance scan. :o) Rick To: cf-talk@houseoffusion.com Subject: Re: PCI-Compliance Ding for Non-Random CFID's Date: Fri, 29 Mar 2013 13:37:01 -0400 From: p...@foundeo.com Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth r...@whitestonemedia.comwrote: Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355204 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: PCI-Compliance Ding for Non-Random CFID's
Tell the PCI testing company that the session requires two tokens, CFID and CFTOKEN, and while one is consecutive the other is random. They will place it in their testing as an exception. We have to do this all the time with each new client sigh even when it is the same testing company. We have never had any trouble or blowback on this issue once we tell them. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Friday, March 29, 2013 11:49 AM To: cf-talk Subject: PCI-Compliance Ding for Non-Random CFID's Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: PCI-Compliance Ding for Non-Random CFID's
Thanks, Dennis! Rick To: cf-talk@houseoffusion.com Subject: RE: PCI-Compliance Ding for Non-Random CFID's Date: Fri, 29 Mar 2013 18:03:23 -0400 From: denn...@uxbinternet.com Tell the PCI testing company that the session requires two tokens, CFID and CFTOKEN, and while one is consecutive the other is random. They will place it in their testing as an exception. We have to do this all the time with each new client sigh even when it is the same testing company. We have never had any trouble or blowback on this issue once we tell them. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355210 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm