AWS logo
Amazon CodeGuruDetector Library

Session fixation Critical

Session fixation might allow an attacker to reuse an existing session identifier in order to gain access to an authenticated session. Previous session IDs must be invalidated when authenticating new users.

Detector ID
java/session-fixation@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public Object sessionFixationConfigurerNoncompliant(SessionManagementConfigurer.SessionFixationConfigurer sessionFixationConfigurer) {
2    // Noncompliant: session fixation protection is disabled.
3    return sessionFixationConfigurer.none();
4}

Compliant example

1public Object sessionFixationConfigurerCompliant(SessionManagementConfigurer.SessionFixationConfigurer sessionFixationConfigurer) {
2    // Compliant: session fixation protection is enabled.
3    return sessionFixationConfigurer.migrateSession();
4}