How do I secure CFID for PCI compliance?

Question

We've been failing our PCI scans because ColdFusion has predictable CFIDs. The exact FAIL we get is "Predictable Cookie Session IDs". Now the CFTOKEN is no longer predictable since I've configured CF to use UUID for CFTOKEN, however, the CFID is still predictable and unaffected by any changes in CF Admin.

I don't really know why the CFID being predictable is a threat, but they want us to fix it.

I have been unable to find anything on the matter by googeling, and I'm really not sure what else to do.

Has anyone else dealt with something like this? Any suggestions?

EDIT:Here is what my Application.cfc file looks like:

<cfcomponent output="false">

    <cfset this.name="DatabaseOnline">
    <cfset this.sessionManagement=true>
    <cfset this.setDomainCookies=true>
    <cfset this.setClientCookies=true>
    <cfset this.sessionTimeOut=#CreateTimeSpan(0,20,0,0)#>

</cfcomponent> 

And my CF admin looks like this: http://i.imgur.com/k9OZH.png

So how do I disable CFID?

Answer 1

Using J2EE session variables should address that problem.

To do that go to CF Administrator. Server Settings --> Memory Variables and check the 'Use J2EE session variables' check box.

You can find some more information here http://helpx.adobe.com/coldfusion/kb/predictable-cookie-session-ids-reported.html