Why this matters
Failing to create a new session upon user authentication makes the application vulnerable to session fixation attacks, allowing attackers to hijack user sessions.
Ensure that a new session is always created upon user authentication to prevent session fixation attacks.
Failing to create a new session upon user authentication makes the application vulnerable to session fixation attacks, allowing attackers to hijack user sessions.
Side-by-side examples engineers can pattern-match during review.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionFixation().none(); // Noncompliant: the existing session will continue
}@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionFixation().migrateSession();
}@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionFixation().none(); // Noncompliant: the existing session will continue
}@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionFixation().migrateSession();
}From the same buckets as this rule.