We just had a PCI scan on one of our servers, and the following issue was returned:
J2EE Misconfiguration: Insufficient Session ID Length
My understanding is that the Session ID length is set in the underlying JVM for CF.
Is there any solution to this?
Check CFAdmin Memory Variables
Sorry ... by length i DON'T mean the length of the timeout.
By length, I mean the length of the string identifying a particular session.
So, they're currently of the form 1B28985AA915BCAE8B53537A1B5B6020.cfusion, but the scan failed because it's saying that that string isn't long enough, and could technically be guessed to hijack the session.