Problem
I want to make my session tokens harder to guess and more unique.
Solution
Like most of my web applications I use sessions at some point to store information such as login information. I do this by utilizing Session Tokens so that the server can identity who is who.
Detailed explanation
If you have ever looked at the default session id you may have noticed it is relative easy to guess. If your using the Coldfusion Default Session Management it's made up of the Application name, CFID and CFTOKEN. This creates a unique session ID apart from the app name its only numbers NOT letters or any special characters.
There is a very simple way to make the session ID harder to guess and that is to make use of the Universally Unique Identifier (UUID) for CFTOKENS.
UUID creates a 35-character string representation of a unique 128-bit integer.
Quote:
http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00000436.htm
To turn-on UUID go to the ColdFusion Administrator and under
setting click "Use UUID for cftoken"
Simple, harder to guess session IDs.
This is just one way to help secure your session ids and by
no means the only, but its there to use in CF Admin and not many
change it from the default!
+
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Permissions beyond the scope of this license, pertaining to the examples of code included within this work are available at Adobe.
