Issue

If your organizations' Web properties are required by law or by contract to adhere to particular security standards, the person or company doing your compliance testing may report the following problem to you.

  • The CF_ID cookie is insecure because it is sequential in nature, and therefore easily guessed.

One of the common standards that might raise this issue is called PCI, but there are also others.



Reason

In its default configuration, Adobe ColdFusion uses a pair of cookies named CF_ID and CF_TOKEN to manage user sessions. These two cookies are only ever used in tandem with each other--they are never used separately.

Even though CF_ID is sequential, CF_TOKEN is random and is unpredictable. Since it is the combination of both cookies that is used, the resulting combination is also unpredictable.

Solution

To eliminate this error in your compliance testing, you can configure ColdFusion to use J2EE session identifiers instead of CF_ID and CF_TOKEN.

Note: This solution does not make your ColdFusion server any more or less secure.

To switch to J2EE session variables:

  1. Open the ColdFusion Administrator in your Web browser.
  2. Under the Server Settings category in the left hand list, choose Memory Variables.
  3. Select the Use J2EE Session Variables option.
  4. Click Submit Changes to commit the change.
  5. Restart your ColdFusion server to bring the change into effect.

ColdFusion now uses a JSessionID cookie instead of CF_ID and CF_TOKEN, and your next compliance test should not fail.

Additional Information

For more information on enabling J2EE session variables in Coldfusion, see "How to enable J2EE session management in ColdFusion MX" (TechNote tn_18232).

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy