From Adobe ColdFusion 11 Security Technical Implementation Guide
Part of SRG-APP-000223-AS-000150
Associated with: CCI-001664
Generating a unique session identifier for each session inhibits an attacker from using an already authenticated session identifier that has not been invalidated. If an attacker is able to use an authenticated session, the attacker is given the privileges of the user who created the session. This may allow the attacker to generate user accounts for later use, change configuration settings, deploy an application or change application modules and code for already hosted applications, or see usernames for trusted relationships to other resources. It is important that each new session is given a new and unique session identifier and that old identifiers are discarded quickly.
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Cookie Timeout" is not set to -1, this is a finding.
Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the parameter "Cookie Timeout" to -1 and select the "Submit Changes" button.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer