Session fixation attacks occur when an attacker can force a legitimate user to use a session ID that he knows. To avoid fixation attacks, it's a good practice to generate a new session each time a user authenticates and delete/invalidate the existing session (the one possibly known by the attacker).
In a Spring Security's context, session fixation protection is enabled by default but can be disabled with sessionFixation().none()
method:
@Override protected void configure(HttpSecurity http) throws Exception { http.sessionManagement() .sessionFixation().none(); // Noncompliant: the existing session will continue }
In a Spring Security's context, session fixation protection can be enabled as follows:
@Override protected void configure(HttpSecurity http) throws Exception { http.sessionManagement() .sessionFixation().newSession(); // Compliant: a new session is created without any of the attributes from the old session being copied over // or http.sessionManagement() .sessionFixation().migrateSession(); // Compliant: a new session is created, the old one is invalidated and the attributes from the old session are copied over. }