I am trying to implement the new tags to remediate the CSRF finding in our scans but can't seem to get the CSRFVerifyToken to work. I found the following snippet and put it on a test page. It appears that the token is being generated but when I try to use the CSRFVerifyToken tag, it returns NO. Is there something that I am doing wrong or do you have to have a setting set in the administrator? We are using most recent CF11.
<cfif isDefined("form.submit") and CSRFVerifyToken(form.token, "make-admin")>
perform operation
</cfif>
<form action="test.cfm" method="post">
<cfoutput>
<input type="hidden" name="token" value="#CSRFGenerateToken("make-admin")#" />
</cfoutput>
<input type="submit" value="Make Administrator" name="submit" />
</form>