Personally, I think that this warning is a false positive. CF gets flagged because CFID is not randomly generated, however CFToken (in CF9 and higher) is random (at least partly). I cannot say for certain if the combined to values are random enough for PCI compliance, that is something you would have to ask a PCI expert. But if it is required that there are NO warnings in the automated test, including false positives, then no, you cannot use the client scope and be PCI complaint. Remember that automated tools are stupid. It is only recognizing that the CFID value is not random, even if the CFToekn value is. It does not understand that the two are related and that both pieces are rquired as part of the session token, so even if the two combined are sufficiently random, the test will always fail due to the lack of randomness in the one part of the token. Jason P.S. You should also keep in mind that the client scope sucks. It may seem convenient, but it has enough drawbacks that it is probably not worth using. http://www.dopefly.com/pages/ColdFusionClientVariablesFinalNail.cfm
... View more