J2EE session variables & Non Random Session IDs

-

our server keeps failing our pci compliance test due session id's being non random.

 

description: web server uses non random session ids       synopsis: remote web server generates predictable session ids.      impact: remote web server generates session id each connection.  session id typically used keep track of actions of user while visits web site.  remote server generates non-random session ids.  attacker might use flaw guess session ids of other users , therefore steal session.  see : http://pdos.csail.mit.edu/cookies/seq_sessionid.html        data received: sending several requests gives following session ids : cfid=896744 cfid=896745 cfid=896746 cfid=896747 cfid=896748      resolution: configure remote site , cgis use random session ids.       risk factor: medium/ cvss2 base score: 6.4       av:n/ac:l/au:n/c:p/i:p/a:n

 

we using though more secure option. there else have guarentee session id's non random or compliance test picking on false positive?

 

p.s. it's recent migration cf10, don't know if has it.

even if have jee sessions enabled, cf continue set cfid , cftoken cookies unless tell not to.  use client scope.

 

if not using client scope can safely tell cf stop setting client cookies.

 

if using application.cfc add pseudocontstructor area:

 

<cfset this.setclientcookies = false />

 

if using applicaiton.cfm, begrudingly tell add <cfapplication /> tag

 

<cfapplication ... other settings... setclientcookies="false" />

 

 

if using client scope may out of luck , need reimplement whatever using client scope using session scope instead.

 

jason



More discussions in ColdFusion


adobe

Comments

Post a Comment

Popular posts from this blog

Warning, the Safe Path is not accessible vm3 - Joomla! Forum - community, help and support

-
i have install virtumart 3 , safe path error (vmerror: warning, safe path not accessible (does not exist or no permission), safety reasons important create folder in path not accessible url or unguessable name, create folder 'invoices' , 'keys' in store sensitive data secure. our suggested path system '/home/shop3/vmfiles/'. you can use complex folder name 'password' example '/home/shop3/public_html/administrator/components/com_virtuemart/pgq9b3kscpin/'. use link config) does have idea why, if created folder, can't warning out? virtumart virtuemart 3.0.8 joomla! 3.3.6 stable problem solved Board index Joomla! 3.x - Ask Support Questions Here Extensions for Joomla! 3.x
Read more

uppercase letters in url - Joomla! Forum - community, help and support

-
hello all, i in process of migrating joomla 2.5 1.5. 1 of categories in 1.5 version had capital letters in name. in joomla 2.5, uppercase letters in article/menu/category alias automatically converted lowercase. i tried changing menu alias in database, caused 404 error in category-blog page. i have been trying many days find solution, reason being many of pages category in 1.5 site have lots of facebook likes don't want lose. does work-around exist allow me manually change category/menu alias category blog page , articles have category name uppercase letters? any appreciated. thanks! you can 301 redirect uppercase urls lowercase. Board index Joomla! Older Version Support Joomla! 2.5 Search Engine Optimization (Joomla! SEO) in Joomla! 2.5
Read more

Joomla! Update is not offering Joomla 3 - Joomla! Forum - community, help and support

-
hi i trying upgrade joomla 2.5.27 3.6. have checked requirements (i've upgraded site), purged cache , gone short term support, when click save & close told (as before) have latest joomla version - not offer me joomla 3.6 (or else). have suggestions please? thank you c you can download joomla 3.x update , install manually using joomla's extension installer. don't forget create backup before doing that. Board index Joomla! 3.x - Ask Support Questions Here General Questions/New to Joomla! 3.x
Read more