If your organizations' Web properties are required by law or by contract to adhere to particular security standards, the person or company doing your compliance testing may report the following problem to you.
- The CF_ID cookie is insecure because it is sequential in nature, and therefore easily guessed.
One of the common standards that might raise this issue is called PCI, but there are also others.
In its default configuration, Adobe ColdFusion uses a pair of cookies named CF_ID and CF_TOKEN to manage user sessions. These two cookies are only ever used in tandem with each other--they are never used separately.
Even though CF_ID is sequential, CF_TOKEN is random and is unpredictable. Since it is the combination of both cookies that is used, the resulting combination is also unpredictable.
To eliminate this error in your compliance testing, you can configure ColdFusion to use J2EE session identifiers instead of CF_ID and CF_TOKEN.
Note: This solution does not make your ColdFusion server any more or less secure.
ColdFusion now uses a JSessionID cookie instead of CF_ID and CF_TOKEN, and your next compliance test should not fail.
For more information on enabling J2EE session variables in Coldfusion, see "How to enable J2EE session management in ColdFusion MX" (TechNote tn_18232).