I wanted to circle back and thank everyone for their suggestions.
Running the site in SSL all the time got us passed, and the site seems
to be working fine.
I wish there was a better way, but this works.
Thanks again.
-RR
On 3/6/12, Robert Rhodes rrhode...@gmail.com wrote:
If jsessionids
Just out of curiosity, why can't you have the entire session running under SSL?
Ever since Firesheep came out it is actually suggested to be all encrypted all
the time.
Steve
-Original Message-
From: Robert Rhodes [mailto:rrhode...@gmail.com]
Sent: Tuesday, March 06, 2012 2:20 AM
It's a video streaming site for members. I can't believe my only option is
to stream video across ssl. There must be another solution.
-RR
On Tue, Mar 6, 2012 at 7:46 AM, DURETTE, STEVEN J sd1...@att.com wrote:
Just out of curiosity, why can't you have the entire session running under
It's a video streaming site for members. I can't believe my only
option is to stream video across ssl. There must be another
solution.
There is: take the main site out of scope for compliance. The only
parts of a system that have to be PCI compliant are the ones that
handle credit card
Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly. There must be a
fairly quick solution to this problem. Surely, I can't be the first to
deal with this.
On Tue, Mar 6, 2012 at 8:44 AM, Justin Scott
...@gmail.com]
Sent: Tuesday, March 06, 2012 9:08 AM
To: cf-talk
Subject: Re: Failed PCI Compliance test on CF9.01
Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly. There must be a
fairly quick solution
and thought these options
might help.
Ché
-Original Message-
From: Robert Rhodes [mailto:rrhode...@gmail.com]
Sent: Tuesday, March 06, 2012 9:08 AM
To: cf-talk
Subject: Re: Failed PCI Compliance test on CF9.01
Justin, thanks for the reply, and I get your point, but I can't break out
I'll echo what Donnie said. We're actually running CF 8 with the DB client
settings and did not have any issues with the cookies in our PCI audit,
Phil
On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail)
donnie.bac...@gmail.com wrote:
Robert,
This is odd that you are losing the session,
On Tue, Mar 6, 2012 at 9:07 AM, Robert Rhodes rrhode...@gmail.com wrote:
Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly. There must be a
fairly quick solution to this problem. Surely, I can't be the first to
Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly. There must be a
fairly quick solution to this problem. Surely, I can't be the first to
deal with this.
Another option might be to ask your scanning vendor for
Justin, I don't think that would work though, depending on the level of
compliance and the SAQ being completed I don't think any vendor will allow
that exemption regardless of if credit card information is visible or not.
If an attacker is allowed any access to a user session and can harvest any
Justin, I don't think that would work though, depending on the level of
compliance and the SAQ being completed I don't think any vendor will
allow that exemption regardless of if credit card information is visible or
not. If an attacker is allowed any access to a user session and can
harvest
Subject: Re: Failed PCI Compliance test on CF9.01
Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly. There must be a
fairly quick solution to this problem. Surely, I can't be the first to
deal
.
Ché
-Original Message-
From: Robert Rhodes [mailto:rrhode...@gmail.com]
Sent: Tuesday, March 06, 2012 9:08 AM
To: cf-talk
Subject: Re: Failed PCI Compliance test on CF9.01
Justin, thanks for the reply, and I get your point, but I can't break
out
...@gmail.com]
Sent: Tuesday, March 06, 2012 9:08 AM
To: cf-talk
Subject: Re: Failed PCI Compliance test on CF9.01
Justin, thanks for the reply, and I get your point, but I can't break
out
the registration process into a standalone site quickly. There must
Hi Robert,
I'm not sure if I'm missing something but shouldn't you have
setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the
url on each request.
Best Regards,
Donnie Bachan
Nitendo Vinces - By Striving You Shall Conquer
I just put back the jrun setting to pass cookies securely, and am sending
the jsessionid securely again. And I am set up to use the database for
client storage.
It's still losing the session when I switch between http and https.
I do have setclientcookies to no, because that sets cfid and
On Tue, Mar 6, 2012 at 11:13 AM, Robert Rhodes rrhode...@gmail.com wrote:
I just put back the jrun setting to pass cookies securely, and am sending
the jsessionid securely again. And I am set up to use the database for
client storage.
It's still losing the session when I switch between
PCI Compliance test on CF9.01
I just put back the jrun setting to pass cookies securely, and am sending
the jsessionid securely again. And I am set up to use the database for
client storage.
It's still losing the session when I switch between http and https.
I do have setclientcookies
Hi Robert,
You are caught in a bit of a catch 22 here. If you want to set the secure
attribute on session cookies delivered over SSL, but also have it use the
same cookie values over non-ssl - then that defeats the purpose of adding
the secure attribute. If you want to do that you can't use the
I hear you, but there are issues preventing me from going all https. It's
a long story.
Is there a way to copy, with some code in the application.cfm, the
jsessionid between http and https so we don't lose the session state?
-rr
On Tue, Mar 6, 2012 at 11:24 AM, Pete Freitag p...@foundeo.com
On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com wrote:
I hear you, but there are issues preventing me from going all https. It's
a long story.
Is there a way to copy, with some code in the application.cfm, the
jsessionid between http and https so we don't lose the
Ok, I am going to try to make the site work all ssl. I am concerned about
the video streaming over ssl, but I guess we will see how it goes.
On a related subject: is there a way to make the jsessionid cookie secure
without making the jrun change? I ask because doing so affects all sites
on
Yes. If it were me, I would turn setClientCookies=false in the
Applciation.cfc|cfm and then set them manually using:
cfcookie name=cfid value=#session.cfid# secure=true/
cfcookie name=cftoken value=#session.cftoken# secure=true/
If you google around a bit you can probably find some sample code
That works for cfid and cftoken, thanks. But it won't work for jsessionid,
because once that is selected in the administrator, it shows up as an
unsecure cookie, even if you have setclientcookies turned off. That's a
bummer, I wanted to use jsessionids.
On Tue, Mar 6, 2012 at 1:59 PM, Cameron
Try this:
http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH
-Cameron
On Tue, Mar 6, 2012 at 2:39 PM, Robert Rhodes rrhode...@gmail.com wrote:
That works for cfid and cftoken, thanks. But it won't work for
...also - make sure you've cleared out cookies in your browser after you've
made CF code changes. Old cookies could be hanging out and screwing up
your testing.
-Cameron
On Tue, Mar 6, 2012 at 2:39 PM, Robert Rhodes rrhode...@gmail.com wrote:
That works for cfid and cftoken, thanks. But it
On a related subject: is there a way to make the jsessionid cookie
secure without making the jrun change? I ask because doing so
affects all sites on the server, and I had planed to run other sites
on this particular server.
Be careful with this... if your billing system is on this server
Yes, I saw that. But he does not say how he made the new jsession id
string. I am sure it is not some random string he pro
grammatically generated. So, there must be a way to get at the jsessionid
even if you don't have jsessionidenabled in the administrator.
On Tue, Mar 6, 2012 at 2:44 PM,
On Tue, Mar 6, 2012 at 2:56 PM, Robert Rhodes rrhode...@gmail.com wrote:
Yes, I saw that. But he does not say how he made the new jsession id
string. I am sure it is not some random string he pro
grammatically generated. So, there must be a way to get at the jsessionid
even if you don't
If jsessionids are enabled, CF appears to set that cookie, no matter what.
I know of no way to prevent that from happening.
And yes, even those the site being loaded by https, the jsessionid cookie
is still being set insecurely.
As I said before, this should be easier than it is. Or maybe
31 matches
Mail list logo
