How do I secure CFID for PCI compliance?

Question

We've been failing our PCI scans because ColdFusion has predictable CFIDs. The exact FAIL we get is "Predictable Cookie Session IDs". Now the CFTOKEN is no longer predictable since I've configured CF to use UUID for CFTOKEN, however, the CFID is still predictable and unaffected by any changes in CF Admin.

I don't really know why the CFID being predictable is a threat, but they want us to fix it.

I have been unable to find anything on the matter by googeling, and I'm really not sure what else to do.

Has anyone else dealt with something like this? Any suggestions?

EDIT:Here is what my Application.cfc file looks like:

<cfcomponent output="false">

    <cfset this.name="DatabaseOnline">
    <cfset this.sessionManagement=true>
    <cfset this.setDomainCookies=true>
    <cfset this.setClientCookies=true>
    <cfset this.sessionTimeOut=#CreateTimeSpan(0,20,0,0)#>

</cfcomponent> 

And my CF admin looks like this: http://i.imgur.com/k9OZH.png

So how do I disable CFID?

Answer 1

Using J2EE session variables should address that problem.

To do that go to CF Administrator. Server Settings --> Memory Variables and check the 'Use J2EE session variables' check box.

You can find some more information here http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html

Answer 2

Explain to the scanning agent that the CFID is sequential, but is not valid without a corresponding CFTOKEN cookie which is randomized. Since the session cannot be hijacked with the ID alone, it mitigates the reason for the scan failure. Their automated test assumes that the CFID cookie controls the session on its own, which is not the case. Every scanning vendor that I've worked with has accepted this as a mitigating factor and either disabled or overridden that specific test for me on CF-based sites.

Alternately, if none of the sites on the CF server use session variables, you can disable session management entirely and CF won't issue the cookies at all. If they are needed, the above explanation of how CF sessions are managed should get you through.