search
ProductsBook A DemoContact Us

Missing Protection against Session Fixation Attacks

hashtag
Overview

  • Rule ID: java_spring_missing_session_fixation

  • Applicable Languages: Java

  • Weakness ID: CWE-384

hashtag
Description

A session fixation attack occurs when an attacker sets a user's session ID to a known value before login, potentially leading to unauthorized session hijacking. By default, the Spring framework mitigates this risk by creating a new session or changing the user's session ID upon login. Disabling this default behavior increases your application's vulnerability to session fixation attacks.

hashtag
Remediation Guidelines

  • Do not disable Spring's default session fixation protection, as it removes a critical layer of security.

    http.sessionManagement().sessionFixation().none() // not recommended

  • Instead, implement a session fixation protection strategy by configuring Spring to create a new session or migrate to a new session ID upon login. This step is crucial for safeguarding user sessions against hijacking.

    http.sessionManagement().sessionFixation().newSession() // or
http.sessionManagement().sessionFixation().migrateSession()

hashtag
References

hashtag
Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOLarrow-up-right

PreviousMissing or Permissive SSL Hostname VerifierNextMissing Secure option in cookie configuration

Last updated