Why is this an issue?
Session fixation attacks occur when an attacker can force a legitimate user to use a session ID that he knows. To avoid fixation attacks, it’s a
good practice to generate a new session each time a user authenticates and delete/invalidate the existing session (the one possibly known by the
attacker).
Noncompliant code example
In a Spring Security’s context, session fixation protection is enabled by default but can be disabled with sessionFixation().none()
method:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionFixation().none(); // Noncompliant: the existing session will continue
}
Compliant solution
In a Spring Security’s context, session fixation protection can be enabled as follows:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionFixation().newSession(); // Compliant: a new session is created without any of the attributes from the old session being copied over
// or
http.sessionManagement()
.sessionFixation().migrateSession(); // Compliant: a new session is created, the old one is invalidated and the attributes from the old session are copied over.
}
Resources