Recipe Name:
Protect against Session Fixation attacks
Description:
Spring Security's default protection against Session Fixation is disabled, which means an attacker could hijack a valid user session
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
Documentation

An application is vulnerable to Session Fixation attacks when .sessionFixation() is set to .none(). Spring Security's default setting is migrateSession() which will -upon creation of a new HTTP session- invalidate the old one, and copy its attributes to the new session. Another option is to use newSession() which will create a brand new session without any attributes from the old one, and invalidate the latter.

Before
httpSecurity.sessionManagement().sessionFixation().none();
After
httpSecurity.sessionManagement().sessionFixation().newSession();
References
Recipe
id: scw:spring:security:session:fixation
version: 10
metadata:
  name: Protect against Session Fixation attacks
  shortDescription: Spring Security's default protection against Session Fixation is disabled, which means an attacker could hijack a valid user session
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/ProtectagainstSessionFixationattacks.html
  tags: Spring;security;framework specific;Spring Security;web
search:
  methodcall:
    name: none
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.SessionFixationConfigurer
    "on":
      methodcall:
        name: sessionFixation
        declaration:
          type: org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer
        "on":
          methodcall:
            name: sessionManagement
            declaration:
              type: org.springframework.security.config.annotation.web.builders.HttpSecurity
availableFixes:
- name: Use newSession() to create a new session without preserving attributes of the old session
  actions:
  - rewrite:
      to: '{{{ qualifier }}}.newSession()'
- name: Use migrateSession() to create a new session with the attributes of the old session
  actions:
  - rewrite:
      to: '{{{ qualifier }}}.migrateSession()'