How do I secure CFID for PCI compliance?

谁说我不能喝 提交于 2019-12-01 05:53:20

问题


We've been failing our PCI scans because ColdFusion has predictable CFIDs. The exact FAIL we get is "Predictable Cookie Session IDs". Now the CFTOKEN is no longer predictable since I've configured CF to use UUID for CFTOKEN, however, the CFID is still predictable and unaffected by any changes in CF Admin.

I don't really know why the CFID being predictable is a threat, but they want us to fix it.

I have been unable to find anything on the matter by googeling, and I'm really not sure what else to do.

Has anyone else dealt with something like this? Any suggestions?

EDIT:Here is what my Application.cfc file looks like:

<cfcomponent output="false">

    <cfset this.name="DatabaseOnline">
    <cfset this.sessionManagement=true>
    <cfset this.setDomainCookies=true>
    <cfset this.setClientCookies=true>
    <cfset this.sessionTimeOut=#CreateTimeSpan(0,20,0,0)#>

</cfcomponent> 

And my CF admin looks like this: http://i.imgur.com/k9OZH.png

So how do I disable CFID?


回答1:


Using J2EE session variables should address that problem.

To do that go to CF Administrator. Server Settings --> Memory Variables and check the 'Use J2EE session variables' check box.

You can find some more information here http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html




回答2:


Explain to the scanning agent that the CFID is sequential, but is not valid without a corresponding CFTOKEN cookie which is randomized. Since the session cannot be hijacked with the ID alone, it mitigates the reason for the scan failure. Their automated test assumes that the CFID cookie controls the session on its own, which is not the case. Every scanning vendor that I've worked with has accepted this as a mitigating factor and either disabled or overridden that specific test for me on CF-based sites.

Alternately, if none of the sites on the CF server use session variables, you can disable session management entirely and CF won't issue the cookies at all. If they are needed, the above explanation of how CF sessions are managed should get you through.



来源:https://stackoverflow.com/questions/9943261/how-do-i-secure-cfid-for-pci-compliance

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!