Adobe 38043740 Lockdown Guide - Page 57
Server Settings > Settings, Timeout Requests, after, Use UUID for, cftoken, Disable CFC Type
UPC - 883919135168
View all Adobe 38043740 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 57 highlights
Section 5: ColdFusion Administrator Settings In this section several recommendations are made for ColdFusion server settings. It is important to understand that changes to some of these settings may affect how your website functions, and performs. Be sure to understand the implications of all settings before making any changes. 5.1 Server Settings > Settings Setting Timeout Requests after Default Recommendation Description Checked / 60 Sec. Checked / 5 Sec. Set this value as low as possible. Any templates (such as scheduled tasks) that might take longer, should use the cfsetting tag. For example: Use UUID for cftoken Unchecked Checked Disable CFC Type Unchecked check Unchecked The default cftoken values are sequential and make it fairly easy to hijack sessions by guessing a valid CFID / CFTOKEN pair. This setting is not necessarily required if J2EE session are enabled, however it doesn't hurt to turn it on anyways. Developers may rely on the argument types, enabling this setting might allow attackers to cause new exceptions in the application. This setting may be enabled if the developer(s) have built the application to account for this. 57