Session fixation attacks occur when an attacker can force a legitimate user to use a session ID that he knows. To avoid fixation attacks, it’s a
good practice to generate a new session each time a user authenticates and delete/invalidate the existing session (the one possibly known by the
attacker).
Noncompliant Code Example
In a Symfony Security's context,
session fixation protection can be disabled with the value none
for the session_fixation_strategy
attribute:
namespace Symfony\Component\DependencyInjection\Loader\Configurator;
return static function (ContainerConfigurator $container) {
$container->extension('security', [
'session_fixation_strategy' => 'none', // Noncompliant
]);
};
Compliant Solution
In a Symfony Security's context,
session fixation protection is enabled by default. It can be explicitly enabled with the values migrate
and invalidate
for
the session_fixation_strategy
attribute:
namespace Symfony\Component\DependencyInjection\Loader\Configurator;
return static function (ContainerConfigurator $container) {
$container->extension('security', [
'session_fixation_strategy' => 'migrate', // Compliant
]);
};
See