SV.SPRING.FIXATION

Session fixation protection is disabled

Session fixation protection is always enabled by default. Klocwork reports an SV.SPRING.FIXATION defect whenever session fixation protection is disabled.

Vulnerability and risk

To help prevent an attacker from using a session ID to hijack a valid user session, it is always advisable for code to create a new session ID every time a session is created.

Session fixation protection is enabled by default but can be disabled by setting sessionFixation().none().

Mitigation and prevention

Create a new session with a new session ID each time. If the data from the last session is needed, migrating the session is also an option.

Vulnerable code example

Copy
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
public class SpringFixation extends WebSecurityConfigurerAdapter {
 
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.sessionManagement().sessionFixation().none();
    }
}

Klocwork reports an SV.SPRING.FIXATION defect at line 8, indicating, "Use of sessionFixation().none() can disable session fixation protection, which is enabled by default." Disabling session fixation can compromise security.

Fixed code example 1

Copy
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
public class SpringFixation extends WebSecurityConfigurerAdapter {
 
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.sessionManagement().sessionFixation().newSession();
    }
}

Klocwork no longer reports an SV.SPRING.FIXATION defect because a new session is created.

Fixed code example 2

Copy
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
public class SpringFixation extends WebSecurityConfigurerAdapter {
 
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.sessionManagement().sessionFixation().migrateSession();
    }
}

Klocwork no longer reports an SV.SPRING.FIXATION defect because a new session is created and all the data from the old session are copied to the new session.

Security training

Application security training materials provided by Secure Code Warrior.