31 lines
1008 B
Plaintext
31 lines
1008 B
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
== Noncompliant Code Example
|
||
|
|
|
||
|
|
In a Spring Security's context, session fixation protection is enabled by default but can be disabled with <code>sessionFixation().none()</code> method:
|
||
|
|
----
|
||
|
|
@Override
|
||
|
|
protected void configure(HttpSecurity http) throws Exception {
|
||
|
|
http.sessionManagement()
|
||
|
|
.sessionFixation().none(); // Noncompliant: the existing session will continue
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
In a Spring Security's context, session fixation protection can be enabled as follows:
|
||
|
|
----
|
||
|
|
@Override
|
||
|
|
protected void configure(HttpSecurity http) throws Exception {
|
||
|
|
http.sessionManagement()
|
||
|
|
.sessionFixation().newSession(); // Compliant: a new session is created without any of the attributes from the old session being copied over
|
||
|
|
|
||
|
|
// or
|
||
|
|
|
||
|
|
http.sessionManagement()
|
||
|
|
.sessionFixation().migrateSession(); // Compliant: a new session is created, the old one is invalidated and the attributes from the old session are copied over.
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|