> Most (if not all) PCI scanning vendors will remove it from your report if > you explain that the session is based on BOTH the CFID and CFTOKEN values, > not just one, as long as you have Use UUID for CFTOKEN enabled (which in > CF9/10 is more than just a UUID).
I can second that, we've run into this before and any QSA who knows what they're doing will put an exception in place for this scenario. Frankly I'm surprised more of them haven't built this in as a rule by default when cfid and cftoken are both present. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm