Missing Protection against Session Fixation Attacks

Overview

• Rule ID: java_spring_missing_session_fixation

• Applicable Languages: Java

• Weakness ID: CWE-384

Description

A session fixation attack occurs when an attacker sets a user's session ID to a known value before login, potentially leading to unauthorized session hijacking. By default, the Spring framework mitigates this risk by creating a new session or changing the user's session ID upon login. Disabling this default behavior increases your application's vulnerability to session fixation attacks.

Remediation Guidelines

• Do not disable Spring's default session fixation protection, as it removes a critical layer of security.

  Copy

  http.sessionManagement().sessionFixation().none() // not recommended

• Instead, implement a session fixation protection strategy by configuring Spring to create a new session or migrate to a new session ID upon login. This step is crucial for safeguarding user sessions against hijacking.

  Copy

  http.sessionManagement().sessionFixation().newSession() // or
  http.sessionManagement().sessionFixation().migrateSession()
  

References

• OWASP Session Management Cheat Sheet

• Java Spring Session Fixation Configurer

• CWE-384: Session Fixation

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL