Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the "ding"for consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say "UUID" because, withoutlooking it up, I wasn't sure that's the way it was labeled). I have changed the CFToken to the long-format, so that should satisfy thevendor. I'm working with Security Metrics, the PCI-Compliance Vendorfor TD Bank. They've been very good about going over all the technicalitiesand offering suggestions and solutions to issues, such as this one. Security Metrics has been good to work with so far and reasonably priced,so I thought I'd give them a "shout-out". (btw, I own the company... no justkidding!) I have no connection to them at all. But thanks for the feedback, again, and just fyi, that's the only CF-relatedissue that came up at all in the compliance scan. :o) Rick > To: cf-talk@houseoffusion.com > Subject: Re: PCI-Compliance Ding for Non-Random CFID's > Date: Fri, 29 Mar 2013 13:37:01 -0400 > From: p...@foundeo.com > > > Most (if not all) PCI scanning vendors will remove it from your report if > you explain that the session is based on BOTH the CFID and CFTOKEN values, > not just one, as long as you have Use UUID for CFTOKEN enabled (which in > CF9/10 is more than just a UUID). > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting & Products > http://hackmycf.com - Is your ColdFusion Server Secure? > http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 > minutes > > > > On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth > <r...@whitestonemedia.com>wrote: > > > > > Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged > > for the server(CF) using non-random session id's (CFID's). They found three > > consecutive CFID'sin use. However, I noticed in the CF documentation that > > CF-Tokens are random.And I opted for the long-form CF-Tokens in the > > administrator. Is there a way to use random CFID's or is that what the > > random CF-Tokens arefor: to provide a pair of variables, that together > > satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick > > > > > >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355204 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
