jSessionID, CFId/CFToken-Which is predictable?
Posted on 2008-06-10
I have results from our the new and improved PCI scan and it comes up with one Medium risk vuln.
Description: The remote web application is using predictable cookie-based session IDs. Ideally, session IDs are randomly generated numbers that cannot be guessed by attackers. If the session ID is predictable, an attacker could hijack an active victim's session, allowing the attacker to interact with the server as though they were the victim. If the session ID is used to track the state of authentication, the session ID of an authenticated user could be guessed, bypassing any need for a username or password. In the case of this server, the session ID was found to have an insignificant number of changes between session IDs, which makes guessing very easy.
Remediation: The software needs to be either configured or modified to generate random session IDs.
Assuming I'm getting flagged because of cfid/cftoken predictablility I've setClientCookies = "no" and clientmanagement="no" and restarted the service and everything seems to be working with jsessionids alone... are there any pitfalls to watch out with not using cfid/cftoken?
I currently have enabled Use J2EE session variables
basic question before I pay for another scan is:
I was under the impression that jsessionids were the most secure and a better alternative than cfid/cftoken. Is that not the case?
Note: The flagged scan occurred before I made the client variable changes to the application.cfm (so I had both jsessionid and cfid/cftoken being set) As of now only jsessionid is being set