based on what OWASP has to say
OWASP says
"Best practice calls for J2EE session management. In the
event that only ColdFusion session management is available, strong
security identifiers must be used. Enable this setting to change
the default 8-character CFToken security token string to a UUID.
http://www.owasp.org/index.php/Configuration"
It looks like the J2EE sessions are the way to go.
I believe the reason for the PCI flag is that the scan (at
least the one from the service we use) was looking at CFID alone. I
assume this because cftoken -was- set to use uuid so it should have
been secure. The scan probably doesn't know that cfid and cftoken
are used in conjunction. So in a way this is a false positive.
Based on the new standards coming in it is enough to be out of
compliance.
solution to be in compliance is to set clientmanagement="no"
and setclientcookies="no" in application.cfm so that cfid and
cftoken are not set at all By using only the jsessionid, you are
following best practices from OWASP and also get the benefits of
session end on browser close
Other thoughts still welcome