4

We've been failing our PCI scans because ColdFusion has predictable CFIDs. The exact FAIL we get is "Predictable Cookie Session IDs". Now the CFTOKEN is no longer predictable since I've configured CF to use UUID for CFTOKEN, however, the CFID is still predictable and unaffected by any changes in CF Admin.

I don't really know why the CFID being predictable is a threat, but they want us to fix it.

I have been unable to find anything on the matter by googeling, and I'm really not sure what else to do.

Has anyone else dealt with something like this? Any suggestions?

EDIT:Here is what my Application.cfc file looks like:

<cfcomponent output="false">

    <cfset this.name="DatabaseOnline">
    <cfset this.sessionManagement=true>
    <cfset this.setDomainCookies=true>
    <cfset this.setClientCookies=true>
    <cfset this.sessionTimeOut=#CreateTimeSpan(0,20,0,0)#>

</cfcomponent>

And my CF admin looks like this: https://i.stack.imgur.com/VZF0Q.png

So how do I disable CFID?

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
Amir
  • 4,211
  • 4
  • 23
  • 41

2 Answers2

5

Using J2EE session variables should address that problem.

To do that go to CF Administrator. Server Settings --> Memory Variables and check the 'Use J2EE session variables' check box.

You can find some more information here http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html

Scott Stroz
  • 7,510
  • 2
  • 21
  • 25
  • 1
    That's exactly what I did, and it does take care of it for CFTOKEN, but they want CFID to be randomized as well, which I just don't get. I've not heard of anyone else having to randomize CFID, and I don't even know if that is possible since CF needs that to keep track of users. – Amir Mar 30 '12 at 13:10
  • You should no longer longer be getting a CFID cookie as enabling that setting replaces them both with the jsession cookie. Try clearing your cookies and starting again. – baynezy Mar 30 '12 at 13:33
  • 1
    Even with J2EE session variables on, you'll still get CFID and CFTOKEN cookies unless you turn them off. See this answer: http://stackoverflow.com/a/268986/21960 – ale Mar 30 '12 at 13:46
  • How do I disable CFID and CFTOKEN though? I've edited my post so you can see what my setup looks like, if that helps. – Amir Mar 30 '12 at 15:26
3

Explain to the scanning agent that the CFID is sequential, but is not valid without a corresponding CFTOKEN cookie which is randomized. Since the session cannot be hijacked with the ID alone, it mitigates the reason for the scan failure. Their automated test assumes that the CFID cookie controls the session on its own, which is not the case. Every scanning vendor that I've worked with has accepted this as a mitigating factor and either disabled or overridden that specific test for me on CF-based sites.

Alternately, if none of the sites on the CF server use session variables, you can disable session management entirely and CF won't issue the cookies at all. If they are needed, the above explanation of how CF sessions are managed should get you through.

Justin Scott
  • 865
  • 4
  • 10
  • Thank you very much for this, I think this might help me out. There are section in the site that do need session variables, but I think (I hope I'm doing this right), by adding these two things to my application.cfc file: it should take care of that problem for me. This way sessions still work, but they use je J2SEE. Like I said I'm not 100% sure about all of this but that sounds right to me. – Amir Mar 30 '12 at 18:27
  • Just remember that "client" variables are separate from "session" variables (in the case of the "clientManagement" setting). If you disable "setClientCookies" it will not automatically send the CFID and CFTOKEN cookies and you'll need to ensure that those values are passed around on the URL for pages where session management/variables are used. – Justin Scott Apr 16 '12 at 17:14