Skip to main content
S
stevenrhicks
Participant
May 16, 2017
Question

J2EE Misconfiguration: Insufficient Session ID Length

  • May 16, 2017
  • 1 reply
  • 441 views

Hey Guys,

We just had a PCI scan on one of our servers, and the following issue was returned:

J2EE Misconfiguration: Insufficient Session ID Length

My understanding is that the Session ID length is set in the underlying JVM for CF.

Is there any solution to this?

Thanks

Steve

    This topic has been closed for replies.

    1 reply

    C
    cbeckwith
    Inspiring
    May 16, 2017

    Check CFAdmin Memory Variables

    S
    stevenrhicksAuthor
    Participant
    May 16, 2017

    Sorry ... by length i DON'T mean the length of the timeout.

    By length, I mean the length of the string identifying a particular session.


    So, they're currently of the form 1B28985AA915BCAE8B53537A1B5B6020.cfusion, but the scan failed because it's saying that that string isn't long enough, and could technically be guessed to hijack the session.

    Thanks


    Steve

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices