SV.SPRING.FIXATION
Session fixation protection is disabled
Session fixation protection is always enabled by default. Klocwork reports an SV.SPRING.FIXATION defect whenever session fixation protection is disabled.
Vulnerability and risk
To help prevent an attacker from using a session ID to hijack a valid user session, it is always advisable for code to create a new session ID every time a session is created.
Session fixation protection is enabled by default but can be disabled by setting sessionFixation().none().
Mitigation and prevention
Create a new session with a new session ID each time. If the data from the last session is needed, migrating the session is also an option.
Vulnerable code example
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
public class SpringFixation extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.sessionManagement().sessionFixation().none();
}
}
Klocwork reports an SV.SPRING.FIXATION defect at line 8, indicating, "Use of sessionFixation().none() can disable session fixation protection, which is enabled by default." Disabling session fixation can compromise security.
Fixed code example 1
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
public class SpringFixation extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.sessionManagement().sessionFixation().newSession();
}
}
Klocwork no longer reports an SV.SPRING.FIXATION defect because a new session is created.
Fixed code example 2
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
public class SpringFixation extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.sessionManagement().sessionFixation().migrateSession();
}
}
Klocwork no longer reports an SV.SPRING.FIXATION defect because a new session is created and all the data from the old session are copied to the new session.
External guidance
- CERT MSC11-J: Do not let session information leak within a servlet
- CWE-384: Session Fixation
- OWASP A2:2017 Broken Authentication
- OWASP A7:2021 Identification and Authentication Failures
- V-222577 (APSC-DV-002230): The application must not expose session IDs.
- V-222578 (APSC-DV-002240): The application must destroy the session ID value and/or cookie on logoff or browser close.
Security training
Application security training materials provided by Secure Code Warrior.