Recipe Name:
Security Misconfiguration: Prevent session from being included in the URL
Description:
Do not use URL Parameters for session tracking
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- Spring Security
- web
Documentation
enableSessionUrlRewriting(true) allows HTTP sessions to be included in the URL. This could bring about information leakage and facilitate session fixation attacks. Spring Security can prevent this by setting enableSessionUrlRewriting(false), which is also the default setting.
http.sessionManagement().enableSessionUrlRewriting(true);After
http.sessionManagement().enableSessionUrlRewriting(false);References
Recipe
id: scw:spring:security:session:url-include
version: 10
metadata:
name: 'Security Misconfiguration: Prevent session from being included in the URL'
shortDescription: Do not use URL Parameters for session tracking
level: warning
language: java
scwCategory: misconfig:infoexp
enabled: true
comment: ""
descriptionFile: descriptions/SecurityMisconfigurationPreventHTTPsessionfrombeingincludedintheURL.html
tags: Spring;security;framework specific;Spring Security;web
search:
methodcall:
args:
1:
type: boolean
value:
stringified: "true"
name: enableSessionUrlRewriting
declaration:
type: org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer
"on":
methodcall:
name: sessionManagement
availableFixes:
- name: Set enableSessionUrlRewriting to false
actions:
- modifyArguments:
rewrite:
1: "false"