Skip to main content
A
AmpliconLtd
Participating Frequently
January 29, 2013
Answered

J2EE session variables & Non Random Session IDs

  • January 29, 2013
  • 1 reply
  • 4287 views

Our server keeps failing our PCI compliance test due to the Session ID's being non random.

Description: Web Server Uses Non Random Session IDs       Synopsis: The remote web server generates predictable session IDs.      Impact: The remote web server generates a session ID for each connection.  A session ID is typically used to keep track of the actions of a user while he visits a web site.  The remote server generates non-random session IDs.  An attacker might use this flaw to guess the session IDs of other users and therefore steal their session.  See also : http://pdos.csail.mit.edu/cookies/seq_sessionid.html        Data Received: Sending several requests gives us the following session IDs : CFID=896744 CFID=896745 CFID=896746 CFID=896747 CFID=896748      Resolution: Configure the remote site and CGIs so as to use random session IDs.       Risk Factor: Medium/ CVSS2 Base Score: 6.4       AV:N/AC:L/Au:N/C:P/I:P/A:N

We are using which I though was the more secure option. Is there something else you have to do to guarentee that the Session ID's are non random or is this the Compliance test picking up on a false positive?

P.S. It's a recent migration to CF10, don't know if that has anything to do with it.

This topic has been closed for replies.
Correct answer 12Robots

Even if you have JEE sessions enabled, CF will continue to set CFID and CFToken cookies unless you tell it not to.  It does this for use with the CLIENT scope.

If you are not using the client scope for anything then you can safely tell CF to stop setting those client cookies.

If you are using Application.cfc then add this to your pseudocontstructor area:

<cfset this.setClientCookies = false />

If you are using Applicaiton.cfm, then I begrudingly tell you to add this to your <cfapplication /> tag

<cfapplication ... other settings... setclientcookies="false" />

If you are using the client scope then you may be out of luck and will need to reimplement whatever you are using the client scope for using the session scope instead.

jason

1 reply

12Robots
12RobotsCorrect answer
Participating Frequently
January 29, 2013

Even if you have JEE sessions enabled, CF will continue to set CFID and CFToken cookies unless you tell it not to.  It does this for use with the CLIENT scope.

If you are not using the client scope for anything then you can safely tell CF to stop setting those client cookies.

If you are using Application.cfc then add this to your pseudocontstructor area:

<cfset this.setClientCookies = false />

If you are using Applicaiton.cfm, then I begrudingly tell you to add this to your <cfapplication /> tag

<cfapplication ... other settings... setclientcookies="false" />

If you are using the client scope then you may be out of luck and will need to reimplement whatever you are using the client scope for using the session scope instead.

jason

A
AmpliconLtdAuthor
Participating Frequently
January 29, 2013

Thanks, I'll give that a try.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices