Announcement Announcement Module
Collapse
No announcement yet.
session-fixation-protection Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • session-fixation-protection

    Hi,
    I'm quite new to spring security. I want to know why we want to change the "session-fixation-protection" property, and which scenarios need such change? Also some one explain the three values never, newSession and migrateSession bit elaborately?

    Thanks

  • #2
    your question explain clearly in Spring-security reference Doc. Session-Fixation-protection is a technique of changing JSESSIONID when user logged in. I suggest refer Spring-Security Doc

    Comment


    • #3
      Also, OWASP has an article on session fixation attacks in general: Link

      Here's the relevant portion of the Spring Sec docs: Link

      Comment


      • #4
        Hi,
        Thanks for your replies, but I'm still confused with the different between the parameters values "none" and "newSession". It will be great if some one can describe them.

        Thank you

        Comment


        • #5
          Indicates whether an existing session should be invalidated when a user authenticates and a new session
          started.
          If set to "none" no change will be made.
          "newSession" will create a new empty session.
          "migrateSession" will create a new session and copy the session attributes to the new session.
          Defaults to "migrateSession".

          it is used when u try to login JSESSIONID is generate and depending on requirement u can have possible above 3 options to set

          Comment


          • #6
            thank you rohan,
            To make it clear if we use "none" we are susceptible to session fixation attack.
            And if we use "newSession" we are not. And in "migrateSession" it says it copies session attributes. What are the attributes that copies?

            Thank you

            Comment


            • #7
              Originally posted by chamila_ruw View Post
              thank you rohan,
              To make it clear if we use "none" we are susceptible to session fixation attack.
              And if we use "newSession" we are not. And in "migrateSession" it says it copies session attributes. What are the attributes that copies?

              Thank you
              It will copy all attributes of the session, unless you configure this feature using explicit bean configuration. You are correct about "none" vs "newSession".

              Comment

              Working...
              X