40 lines
1.1 KiB
Plaintext
40 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
In a Spring Security's context, session fixation protection is enabled by default but can be disabled with ``++sessionFixation().none()++`` method:
|
|
|
|
----
|
|
@Override
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
http.sessionManagement()
|
|
.sessionFixation().none(); // Noncompliant: the existing session will continue
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In a Spring Security's context, session fixation protection can be enabled as follows:
|
|
|
|
----
|
|
@Override
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
http.sessionManagement()
|
|
.sessionFixation().newSession(); // Compliant: a new session is created without any of the attributes from the old session being copied over
|
|
|
|
// or
|
|
|
|
http.sessionManagement()
|
|
.sessionFixation().migrateSession(); // Compliant: a new session is created, the old one is invalidated and the attributes from the old session are copied over.
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::rspecator-view[]
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::rspecator-view[]
|