Sensei Logo Sensei Hub

Recipe - Session Configuration: Invalidate the HttpSession after logout

Description:
Delete all sessions after logout
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
Documentation

For security reasons it's recommended to invalidate all sessions after logout.

Before
http.logout().invalidateHttpSession(false);
After
http.logout().invalidateHttpSession(true);
References
Recipe
id: scw:spring:security:session:invalidate
version: 10
metadata:
  name: 'Session Configuration: Invalidate the HttpSession after logout'
  shortDescription: Delete all sessions after logout
  level: warning
  language: java
  scwCategory: session:generic
  enabled: true
  comment: ""
  descriptionFile: descriptions/SessionConfigurationInvalidatetheHttpSessionafterlogout.html
  tags: Spring;security;framework specific;Spring Security;web
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: invalidateHttpSession
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.LogoutConfigurer
availableFixes:
- name: Set invalidateHttpSession to true
  actions:
  - modifyArguments:
      rewrite:
        1: "true"