jSessionID, CFId/CFToken-Which is predictable?
I have results from our the new and improved PCI scan and it comes up with one
Medium risk vuln.
[i]Description: The remote web application is using predictable
session IDs. Ideally, session IDs are randomly generated numbers that cannot be
guessed by attackers. If the session ID is predictable, an attacker could
hijack an active victim's session, allowing the attacker to interact with the
server as though they were the victim. If the session ID is used to track the
state of authentication, the session ID of an authenticated user could be
guessed, bypassing any need for a username or password. In the case of this
server, the session ID was found to have an insignificant number of changes
between session IDs, which makes guessing very easy.
Remediation: The software needs to be either configured or modified to
generate random session IDs. [/i]
I currently have enabled
Use J2EE session variables
assuming I'm getting flagged becasue of cfid/cftoken predictablility I've
setClientCookies = "no" and clientmanagement="no" and restarted the service and
everything seems to be working with jsessionids alone... are there any pitfalls
to watch out with not using cfid/cftoken?
basic question before I pay for another scan is:
I was under the impression that jsessionids were the most secure and a better
alternative than cfid/cftoken. Is that not the case?