Session fixation might allow an attacker to reuse an existing session identifier in order to gain access to an authenticated session. Previous session IDs must be invalidated when authenticating new users.
1public Object sessionFixationConfigurerNoncompliant(SessionManagementConfigurer.SessionFixationConfigurer sessionFixationConfigurer) {
2 // Noncompliant: session fixation protection is disabled.
3 return sessionFixationConfigurer.none();
4}
1public Object sessionFixationConfigurerCompliant(SessionManagementConfigurer.SessionFixationConfigurer sessionFixationConfigurer) {
2 // Compliant: session fixation protection is enabled.
3 return sessionFixationConfigurer.migrateSession();
4}