In CFAdmin the "Use UUID for cftoken" checkbox is very helpful in creating an unpredictable value. Is there any way to do this with the value for CFID? Over the last week I have been in the process of migrating to CF10 and this one last issue still remains for PCI compliancy.
Security Metrics Scan complains...
Data Received: Sending several requests gives us the following session IDs : CFID=37810 CFID=37813 CFID=37814 CFID=37815 CFID=37816 Resolution: Configure the remote site and CGIs so as to use random session IDs.
On my CF 9 server I would encrypt the CFID and onSessionStart() with this…
<cfset LOCAL.EncryptedID = Encrypt("#SESSION.CFID#,#SESSION.CFTOKEN#",server.encrypt_key,"CFMX_COMPAT","HEX") />
…and then on init() in the Application.cfc I would decrypt it using...
<cfcookie name="CFID" value="#ListFirst( THIS.DecryptedID )#" expires="NOW" httponly="true" />
With this same code on CF 10 server I now get the following error on that line of code… (If you don't see it - try restarting the CF service)
The system has attempted to use an undefined value, which usually indicates a programming error, either in your code or some system code.
Null Pointers are another name for undefined values.
- There is a server setting to not allow application level editing of session cookies and I have this configures to allow edit.
- The value of cookie.CFID = a numeric value at this line.
- You cannot even straight on edit the value of the CFID cookie without producing the same error.
Is it not possible to encrypt the value of CFID anymore?