Recipe Name:
Security Misconfiguration: Prevent session from being included in the URL
Description:
Do not use URL Parameters for session tracking
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
Documentation

enableSessionUrlRewriting(true) allows HTTP sessions to be included in the URL. This could bring about information leakage and facilitate session fixation attacks. Spring Security can prevent this by setting enableSessionUrlRewriting(false), which is also the default setting.

Before
http.sessionManagement().enableSessionUrlRewriting(true);
After
http.sessionManagement().enableSessionUrlRewriting(false);
References
Recipe
id: scw:spring:security:session:url-include
version: 10
metadata:
  name: 'Security Misconfiguration: Prevent session from being included in the URL'
  shortDescription: Do not use URL Parameters for session tracking
  level: warning
  language: java
  scwCategory: misconfig:infoexp
  enabled: true
  comment: ""
  descriptionFile: descriptions/SecurityMisconfigurationPreventHTTPsessionfrombeingincludedintheURL.html
  tags: Spring;security;framework specific;Spring Security;web
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "true"
    name: enableSessionUrlRewriting
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer
    "on":
      methodcall:
        name: sessionManagement
availableFixes:
- name: Set enableSessionUrlRewriting to false
  actions:
  - modifyArguments:
      rewrite:
        1: "false"