- A URL with a session tracking parameter can be easily used to steal the session
- Disable URL rewriting to prevent appending JESSIONID to the URL
- Set disable-url-rewriting="true" in the <http> namespace (Servlet 3.0 onwards)
Configuring Session Fixation Protection in web.xml
Vulnerable Code
- Enables attackers to login at the same time as the user and perform attacks
Secure Code
- Prevents attackers from performing attacks when a user is logged in
Prevent Session Fixation with Spring Security
Spring Framework provides Session Fixation Protection
- Configure session fixation protection attribute to prevent session fixation
- Session fixation protection attribute determines the behavior of the existing session when an already authenticated user tries to login again
The following values can be assigned:
- migrateSession-(Default): Creates a new http session and invalidates the old session after copying the attributes of the old session
- None: Old session remains and is not invalidates
- newSession: New http session is created without copying the attributes of the old session
<Configuring Session Fixation Protection in XML>
JAVA Configure
ring for Session Fixation Protection
Prevent Session Fixation with Spring Security (Cont’d)
Vulnerable Code
- Enables attackers to login at the same time as the user and perform attacks
Secure Code Code
- Prevents attackers from performing attacks when a user is logged in
Cheng® 