Weak Session Token Randomness

Question

Weak Session Token Randomness vulnerability found during pentesting in ColdFusion 2023 Administrator During a recent pentesting exercise, we identified a vulnerability related to Weak Session Token Randomness in ColdFusion 2023, specifically affecting the Administrator interface. Our analysis shows that only about 6 out of 80 characters in the session cookie have an acceptable level of randomness, which raises concerns about session security and potential risks.Could you please advise if there are any configuration options or recommended best practices in ColdFusion 2023 to improve the randomness and security of session tokens for the Administrator? Is it possible to change the session ID generator or enable a more secure session management mechanism?Any guidance or recommendations on how to mitigate this vulnerability would be greatly appreciated.Thank you in advance for your support!

Ged_Traynor · Accepted Answer

​@ihorp86864558you’d be better off posting your query in the ColdFusion forum

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded