A recent scan of an ecommerce site I've developed and hosted
on a shared server at CrystalTech has failed a PCI compliance test
recently. It previously passed them.
The report says that sessionids are predictable and therefore
insecure. This threatens my relationship with the credit card
companies. The good folks at CrystalTech have not been helpful yet.
Is anyone familiar with this issue or have valuable thoughts?
Interestingly, Securitymetrics calls it "Allaire Coldfusion".
Man, are they out of date.