The framework offers protection against typical Session Fixation attacks by configuring what happens to an existing session when the user tries to authenticate again:
<session-management session-fixation-protection="migrateSession"> ...
The corresponding Java configuration:
http.sessionManagement()
.sessionFixation()
.migrateSession()
// .none()
// .newSession()
// .changeSessionId()By default, Spring Security has this protection enabled (“migrateSession“) – on authentication a new HTTP Session is created, the old one is invalidated and the attributes from the old session are copied over.
If this is not the desired behavior, two other options are available:
- when “none” is set, the original session will not be invalidated
- when “newSession” is set, a clean session will be created without any of the attributes from the old session being copied over
- when “changeSessionId” is set, changes the current session id with a new one