Skip to main content
P
Paras_Pabari
Participant
March 21, 2010
Question

Session Identifiers Getting updated

  • March 21, 2010
  • 1 reply
  • 501 views

For one of the Secured SSL site made using ColdFusion. While running the Security Scanning we are getting one issue as "Session Identifiers Getting Updated".

Could you please tell me how to handle the Session variables effectively so that it don't get updated.

    This topic has been closed for replies.

    1 reply

    M
    Michael_Dinowitz
    Participant
    March 22, 2010

    Let me see if I get this right. You have a security scanner which hits pages on your site. You don't want it to increment the number of sessions running? If this is correct, then check if the security scanner has a unique http_user_agent name and when a visitor comes with that agent type, assign it a cfid and a cftoken of 1. This will make each visit of the scanner look like the same visit by ColdFusion and prevent a new session being assigned to the visit.

    If I'm not understanding the problem properly or my solution does not fit what you need, please let me know.

    Thanks

    --

    Michael Dinowitz

    House of Fusion (http://www.houseoffusion.com)

    Home of the ColdFusion community

    P
    Paras_PabariAuthor
    Participant
    March 24, 2010

    I am using IBM Appscan for testing. I am not sure where I can make this settings could you please let me know if you have used Appscan.

    Is there any other way that from coding we can set the CFID and CFTOKEN.

    ilssac
    ilssac
    Inspiring
    March 24, 2010

    Does this security tool correctly accept and return cookies?

    ColdFusion normally sets the cfid and cftoken values in cookies.  If it gets a request that does not contain these cookies from a previous request, it creates new cookies with new values.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices