> Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged > for the server(CF) using non-random session id's > (CFID's). They found three consecutive CFID'sin use. However, I noticed in > the CF documentation that CF-Tokens are random. > And I opted for the long-form CF-Tokens in the administrator. Is there a way > to use random CFID's or is that what the random > CF-Tokens are for: to provide a pair of variables, that together satisfy > randomness requirements for sessions?
I don't think there's any way to control the values issued for CFID. The CFTOKEN values are random and secure if you choose that option in the CF Administrator. But I'd second Cameron's recommendation to use J2EE sessions if you can. You'll get a single token that is secure. Plus, the token will be discarded when the browser is closed. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
