J2EE session variables & Non Random Session IDs

-

our server keeps failing our pci compliance test due session id's being non random.

 

description: web server uses non random session ids       synopsis: remote web server generates predictable session ids.      impact: remote web server generates session id each connection.  session id typically used keep track of actions of user while visits web site.  remote server generates non-random session ids.  attacker might use flaw guess session ids of other users , therefore steal session.  see : http://pdos.csail.mit.edu/cookies/seq_sessionid.html        data received: sending several requests gives following session ids : cfid=896744 cfid=896745 cfid=896746 cfid=896747 cfid=896748      resolution: configure remote site , cgis use random session ids.       risk factor: medium/ cvss2 base score: 6.4       av:n/ac:l/au:n/c:p/i:p/a:n

 

we using though more secure option. there else have guarentee session id's non random or compliance test picking on false positive?

 

p.s. it's recent migration cf10, don't know if has it.

even if have jee sessions enabled, cf continue set cfid , cftoken cookies unless tell not to.  use client scope.

 

if not using client scope can safely tell cf stop setting client cookies.

 

if using application.cfc add pseudocontstructor area:

 

<cfset this.setclientcookies = false />

 

if using applicaiton.cfm, begrudingly tell add <cfapplication /> tag

 

<cfapplication ... other settings... setclientcookies="false" />

 

 

if using client scope may out of luck , need reimplement whatever using client scope using session scope instead.

 

jason



More discussions in ColdFusion


adobe

Comments

Post a Comment

Popular posts from this blog

Warning, the Safe Path is not accessible vm3 - Joomla! Forum - community, help and support

-
i have install virtumart 3 , safe path error (vmerror: warning, safe path not accessible (does not exist or no permission), safety reasons important create folder in path not accessible url or unguessable name, create folder 'invoices' , 'keys' in store sensitive data secure. our suggested path system '/home/shop3/vmfiles/'. you can use complex folder name 'password' example '/home/shop3/public_html/administrator/components/com_virtuemart/pgq9b3kscpin/'. use link config) does have idea why, if created folder, can't warning out? virtumart virtuemart 3.0.8 joomla! 3.3.6 stable problem solved Board index Joomla! 3.x - Ask Support Questions Here Extensions for Joomla! 3.x
Read more

2.5.28 to 3.4.1---Download of update package failed - Joomla! Forum - community, help and support

-
went 2.3* whatever 2.5.28 same message.. had install via extension manager: install.. seemed work fine.. updated extensions , db.. tried run install again joomla! update module , download of update package failed message.. tried install extension manager: install. again , nothing.. don't seem have jommla_update.php file on server.. using godaddy plesk.. fun installed 3.4.1 on server using godaddy applications , worked fine.. i have seen server might out of space.. not issue here. permissions set correctly can tell. i new take easy on me.. any ideas? viewtopic.php?f=621&t=582860 Board index Joomla! 3.x - Ask Support Questions Here Migrating and Upgrading to Joomla! 3.x
Read more

Your host needs to use PHP 5.3.10 or higher to run this vers - Joomla! Forum - community, help and support

-
hi all, searched , saw nothing related it. did quickinstall of joomla 3.3.6. when goto site location in browser error in subject. server specs below. wrong in assuming should ok , if know of fix. php: 5.4.32 could double check php version? create (eg phpinfo.php) file on server containing code: select all <?php phpinfo(); and open file in browser (via eg www.example.com/phpinfo.php ) ? for safety reasons remove file server after double checking. Board index Joomla! 3.x - Ask Support Questions Here Installation Joomla! 3.x
Read more