Missing protection against session fixation attacks

• Rule ID: java_spring_missing_session_fixation
• Languages: java
• Source: missing_session_fixation.yml

Description

A session fixation attack is when an attacker sets a user's session ID to a known value before login. This can lead to unauthorized session hijacking. Spring framework, by default, protects against session fixation attacks by creating a new session or changing the user's session ID upon login. Disabling this default behaviour puts your application at increased risk of session fixation attacks.

Remediations

• Do not disable Spring's default session fixation protection. Disabling it removes a critical layer of security.

  http.sessionManagement().sessionFixation().none() // not recommended

• Do implement a session fixation protection strategy by configuring Spring to either create a new session or migrate to a new session ID upon login. This step is crucial for safeguarding user sessions against hijacking.

  http.sessionManagement().sessionFixation().newSession() // or
  http.sessionManagement().sessionFixation().migrateSession()

References

• OWASP Session Management Cheat Sheet
• Java Spring Session Fixation Configurer

Associated CWE

• CWE-384: Session Fixation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_spring_missing_session_fixation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_spring_missing_session_fixation