如何确保CFID符合PCI标准？ [英] How do I secure CFID for PCI compliance?

问题描述

我们的PCI扫描失败，因为ColdFusion有可预测的CFID。我们得到的确切失败是可预测的Cookie会话ID。现在CFTOKEN不再可预测，因为我已经配置CF使用UUID为CFTOKEN，但是，CFID仍然是可预测的，不受CF管理中的任何更改。

We've been failing our PCI scans because ColdFusion has predictable CFIDs. The exact FAIL we get is "Predictable Cookie Session IDs". Now the CFTOKEN is no longer predictable since I've configured CF to use UUID for CFTOKEN, however, the CFID is still predictable and unaffected by any changes in CF Admin.

我真的不知道为什么CFID是可预见的是一个威胁，但他们希望我们解决它。

I don't really know why the CFID being predictable is a threat, but they want us to fix it.

我已经无法找到任何东西通过googeling ，我真的不知道还能做什么。

I have been unable to find anything on the matter by googeling, and I'm really not sure what else to do.

有没有人处理过这样的东西？有什么建议么？

Has anyone else dealt with something like this? Any suggestions?

编辑：这是我的Application.cfc文件看起来像：

Here is what my Application.cfc file looks like:

<cfcomponent output="false">

    <cfset this.name="DatabaseOnline">
    <cfset this.sessionManagement=true>
    <cfset this.setDomainCookies=true>
    <cfset this.setClientCookies=true>
    <cfset this.sessionTimeOut=#CreateTimeSpan(0,20,0,0)#>

</cfcomponent> 

我的CF管理员看起来像这样： http://i.imgur.com/k9OZH.png

And my CF admin looks like this: http://i.imgur.com/k9OZH.png

那么如何禁用CFID

So how do I disable CFID?

推荐答案

使用J2EE会话变量应该解决这个问题。

Using J2EE session variables should address that problem.

要做到这一点去CF管理员。服务器设置 - >内存变量并检查使用J2EE会话变量复选框。

To do that go to CF Administrator. Server Settings --> Memory Variables and check the 'Use J2EE session variables' check box.

您可以在此处找到更多信息http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html

You can find some more information here http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html

这篇关于如何确保CFID符合PCI标准？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！