On Fri, Mar 29, 2013 at 2:10 PM, Rick Faircloth <r...@whitestonemedia.com>wrote:
> > Thanks for the reply, Pete... If I remember all of the conversation > correctly, when we came to the "ding"for consecutive session variables, the > scanning vendor rep did mention thefact that a CFToken was involved and > that made a difference. I did look upthe information on this in the docs > (CF9) and it did mention changing theCFToken to a long format (I didn't > want to say "UUID" because, withoutlooking it up, I wasn't sure that's the > way it was labeled). Yes it is labeled use UUID for CFTOKEN in ColdFusion administrator, but it is actually more than just a UUID in modern versions of ColdFusion, for example it might look like this: 545fa4955f796cd4-AF350107-CF9E-E638-A240BBF644B48476 ^ (Random) ^ (UUID) Which contains a random value (which I believe is also generated using a secure random generator like the jsessionid) concatenated with a UUID. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355211 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
