52 lines
1.3 KiB
Plaintext
52 lines
1.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
include::../description.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
In a Spring Security's context, session fixation protection is enabled by default but can be disabled with ``++sessionFixation().none()++`` method:
|
|
|
|
[source,java]
|
|
----
|
|
@Override
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
http.sessionManagement()
|
|
.sessionFixation().none(); // Noncompliant: the existing session will continue
|
|
}
|
|
----
|
|
|
|
=== Compliant solution
|
|
|
|
In a Spring Security's context, session fixation protection can be enabled as follows:
|
|
|
|
[source,java]
|
|
----
|
|
@Override
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
http.sessionManagement()
|
|
.sessionFixation().newSession(); // Compliant: a new session is created without any of the attributes from the old session being copied over
|
|
|
|
// or
|
|
|
|
http.sessionManagement()
|
|
.sessionFixation().migrateSession(); // Compliant: a new session is created, the old one is invalidated and the attributes from the old session are copied over.
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|