Here's information about how CFTOKEN and CFID work. Below is a snippet of technical information that Allaire Corporation sent me. My research group has documented stuff related to this on http://cookies.lcs.mit.edu/. -------- Kevin E. Fu (fubobat_private) PGP key: https://snafu.fooworld.org/~fubob/pgp.html ------- Forwarded Message 1) From the ColdFusion 4.5.1 SP2 Release Notes: >>> CFID is assigned sequentially per machine. The entire value >>> must consist of all decimal digits (0-9). >>> CFTOKEN - by default assigned as a random long integer. The >>> value range is 0 < x < 2,147,483,647. ColdFusion no longer >>> validates any part of this token, allowing users to re-assign >>> this to any value they choose. >>> >>> However, by setting the registry key >>> HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\ >>> Clients\ UuidToken to be the string value "1", ColdFusion >>> assigns CFTOKENS using the same random number concatenated >>> with a UUID, which is guaranteed to be globally unique. >>> >>> We use the random number to avoid simple guessing of the >>> uuids, since only a small portion of a uuid changes with each >>> assignment, and to make database lookups more efficient. >>> >>> A typical CFTOKEN using this method looks like this: >>> 57c6419-f0c43bb2-9e8d-11d3-8b87-00c04fa35ba5 >>> >>> If you turn on the UuidToken switch and you are storing >>> client variable information in a database, you will need to >>> increase the column width of the 'cfid' column in the CDATA >>> and CGLOBAL tables. You should change the current width of 20 >>> characters to at least 50 characters, due to the increased >>> length of CFTOKEN. >>> >>> You may also have to change other applications if they are >>> storing the CFTOKEN value in a fixed length field. 2) I looked into the algorithm we use to generate the random number. The answer from our lead developer for ColdFusion is: > We use a random number generator from the book > Algorithms in C, p513 by Sedgewick Our lead developer does not think the random number generator is cryptographically secure. ... ------- End of Forwarded Message
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 16:36:14 PDT