WebApp Sec mailing list archives

RE: ColdFusion - CFID & CFTOKEN

From: "Andrew van der Stock" <vanderaj () greebo net>
Date: Thu, 14 Apr 2005 09:12:33 +1000

Use CF to generate 2500 bytes of data from the session IDs and use the FIPS
compliance test in openssl. If it passes that, then you're good to go and
let us know. If it doesn't pass that, report it to Macromedia as they've
failed.

You will need to hack away at the test code as it calls openssl to get the
2500 bytes of data.

Thanks,
Andrew

-----Original Message-----
From: Jason binger [mailto:cisspstudy () yahoo com]
Sent: Tuesday, 12 April 2005 10:49 AM
To: webappsec () securityfocus com
Subject: ColdFusion - CFID & CFTOKEN

I am currently doing some work with CF MX 6.1 and was
wondering if anyone had some information on the
strength of the CF cookie implementation.

How random the token generation is? How is the
generation performed?
What is the range of the generated tokens?
Has an independent security analysis been performed
and commented on in a public paper?

I have not seen any vendor supplied information on
this.

Cheers,
Jason

__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

Current thread:

ColdFusion - CFID & CFTOKEN Jason binger (Apr 13)
- RE: ColdFusion - CFID & CFTOKEN Andrew van der Stock (Apr 13)
- Re: ColdFusion - CFID & CFTOKEN Rogan Dawes (Apr 14)
- Re: ColdFusion - CFID & CFTOKEN Amit Klein (AKsecurity) (Apr 18)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
  - Re: ColdFusion - CFID & CFTOKEN leighm (May 15)