2023-05-03 11:06:20 +02:00
== Why is this an issue?
2020-06-30 12:50:28 +02:00
include::../description.adoc[]
2023-05-03 11:06:20 +02:00
=== Noncompliant code example
2020-06-30 12:50:28 +02:00
2021-01-27 13:42:22 +01:00
In a Spring Security's context, session fixation protection is enabled by default but can be disabled with ``++sessionFixation().none()++`` method:
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 12:50:28 +02:00
----
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionFixation().none(); // Noncompliant: the existing session will continue
}
----
2023-05-03 11:06:20 +02:00
=== Compliant solution
2020-06-30 12:50:28 +02:00
In a Spring Security's context, session fixation protection can be enabled as follows:
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 12:50:28 +02:00
----
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionFixation().newSession(); // Compliant: a new session is created without any of the attributes from the old session being copied over
// or
http.sessionManagement()
.sessionFixation().migrateSession(); // Compliant: a new session is created, the old one is invalidated and the attributes from the old session are copied over.
}
----
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
