Missing protection against session fixation attacks


A session fixation attack is when an attacker sets a user's session ID to a known value before login. This can lead to unauthorized session hijacking. Spring framework, by default, protects against session fixation attacks by creating a new session or changing the user's session ID upon login. Disabling this default behaviour puts your application at increased risk of session fixation attacks.


  • Do not disable Spring's default session fixation protection. Disabling it removes a critical layer of security.
    http.sessionManagement().sessionFixation().none() // not recommended
  • Do implement a session fixation protection strategy by configuring Spring to either create a new session or migrate to a new session ID upon login. This step is crucial for safeguarding user sessions against hijacking.
    http.sessionManagement().sessionFixation().newSession() // or


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_spring_missing_session_fixation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_spring_missing_session_fixation