include::../description.adoc[]

== Noncompliant Code Example

In a Spring Security's context, session fixation protection is enabled by default but can be disabled with <code>sessionFixation().none()</code> method:

----
@Override
protected void configure(HttpSecurity http) throws Exception {
   http.sessionManagement()
     .sessionFixation().none(); // Noncompliant: the existing session will continue
}
----

== Compliant Solution

In a Spring Security's context, session fixation protection can be enabled as follows:

----
@Override
protected void configure(HttpSecurity http) throws Exception {
  http.sessionManagement()
     .sessionFixation().newSession(); // Compliant: a new session is created without any of the attributes from the old session being copied over

  // or

  http.sessionManagement()
     .sessionFixation().migrateSession(); // Compliant: a new session is created, the old one is invalidated and the attributes from the old session are copied over.
}
----

include::../see.adoc[]