Recipe Name:
Session Configuration: Invalidate the HttpSession after logout
Description:
Delete all sessions after logout
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- Spring Security
- web
Documentation
For security reasons it's recommended to invalidate all sessions after logout.
Beforehttp.logout().invalidateHttpSession(false);After
http.logout().invalidateHttpSession(true);References
Recipe
id: scw:spring:security:session:invalidate
version: 10
metadata:
name: 'Session Configuration: Invalidate the HttpSession after logout'
shortDescription: Delete all sessions after logout
level: warning
language: java
scwCategory: session:generic
enabled: true
comment: ""
descriptionFile: descriptions/SessionConfigurationInvalidatetheHttpSessionafterlogout.html
tags: Spring;security;framework specific;Spring Security;web
search:
methodcall:
args:
1:
type: boolean
value:
stringified: "false"
name: invalidateHttpSession
declaration:
type: org.springframework.security.config.annotation.web.configurers.LogoutConfigurer
availableFixes:
- name: Set invalidateHttpSession to true
actions:
- modifyArguments:
rewrite:
1: "true"