ColdFusion must not store user information in the server registry.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279084	SRG-APP-000435-AS-000163	APAS-CF-000760	SV-279084r1171578_rule	2025-12-19	1

Description
Client variables in ColdFusion are used to persist user-specific information between requests and sessions. If the default storage mechanism for these client variables is set to the Windows registry, it introduces a number of security and performance risks. The Windows registry is not designed for high-frequency, dynamic data storage and lacks adequate security controls for storing sensitive session data. Storing client variables in the registry increases the risk of unauthorized access or data corruption, especially in environments where multiple services or users share access to the system. Improper configuration of the client variable purge interval can lead to excessive accumulation of stale data. If outdated session data is not purged in a timely manner it may result in degraded system performance, resource exhaustion, or inadvertent exposure of residual user data. Ensuring that client variables are stored in a more secure and scalable location (e.g., database or in-memory store) and that the purge interval is properly configured helps protect user data, improve system performance, and reduce the attack surface of the ColdFusion application environment.

Description

Client variables in ColdFusion are used to persist user-specific information between requests and sessions. If the default storage mechanism for these client variables is set to the Windows registry, it introduces a number of security and performance risks. The Windows registry is not designed for high-frequency, dynamic data storage and lacks adequate security controls for storing sensitive session data. Storing client variables in the registry increases the risk of unauthorized access or data corruption, especially in environments where multiple services or users share access to the system. Improper configuration of the client variable purge interval can lead to excessive accumulation of stale data. If outdated session data is not purged in a timely manner it may result in degraded system performance, resource exhaustion, or inadvertent exposure of residual user data. Ensuring that client variables are stored in a more secure and scalable location (e.g., database or in-memory store) and that the purge interval is properly configured helps protect user data, improve system performance, and reduce the attack surface of the ColdFusion application environment.

ℹ️ Check
Verify Client Variable Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Client Variables. If the default storage mechanism for client sessions is set to "Registry", this is a finding. If the "Purge Interval" is not set to 1 hour and 7 minutes, this is a finding.

✔️ Fix
Configure Client Variable settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Client Variables. 2. Set the default storage mechanism for client sessions to any available mechanism other than the registry. 3. Set "Purge Interval" to 1 hour and 7 minutes. 4. Select "Apply".