[Top] [All Lists]

jSessionID, CFId/CFToken-Which is predictable?

Subject: jSessionID, CFId/CFToken-Which is predictable?
From: "Jay_B"
Date: Tue, 10 Jun 2008 14:38:50 +0000 UTC
Newsgroups: macromedia.coldfusion.advanced_techniques
I have results from our the new and improved PCI scan and it comes up with one 
Medium risk vuln.

 [i]Description:        The remote web application is using predictable 
session IDs. Ideally, session IDs are randomly generated numbers that cannot be 
guessed by attackers. If the session ID is predictable, an attacker could 
hijack an active victim's session, allowing the attacker to interact with the 
server as though they were the victim. If the session ID is used to track the 
state of authentication, the session ID of an authenticated user could be 
guessed, bypassing any need for a username or password. In the case of this 
server, the session ID was found to have an insignificant number of changes 
between session IDs, which makes guessing very easy.
 Remediation:   The software needs to be either configured or modified to 
generate random session IDs. [/i]

 I currently have enabled
 Use J2EE session variables 

 assuming I'm getting flagged becasue of cfid/cftoken predictablility I've 
setClientCookies = "no" and clientmanagement="no" and restarted the service and 
everything seems to be working with jsessionids alone... are there any pitfalls 
to watch out with not using cfid/cftoken?

 basic question before I pay for another scan is:

 I was under the impression that jsessionids were the most secure and a better 
alternative than cfid/cftoken. Is that not the case? 

<Prev in Thread] Current Thread [Next in Thread>