(Quick Reference)

18 Session Fixation Prevention - Reference Documentation

Authors: Burt Beckwith, Beverley Talbott

Version: 2.0.0

18 Session Fixation Prevention

To guard against session-fixation attacks set the useSessionFixationPrevention attribute to true:

grails.plugin.springsecurity.useSessionFixationPrevention = true

Upon successful authentication a new HTTP session is created and the previous session's attributes are copied into it. If you start your session by clicking a link that was generated by someone trying to hack your account, which contained an active session id, you are no longer sharing the previous session after login. You have your own session.

Session fixation is less of a problem now that Grails by default does not include jsessionid in URLs (see this JIRA issue), but it's still a good idea to use this feature.

Note that there is an issue when using the cookie-session plugin; see this issue for more details.

The table shows configuration options for session fixation.

Property	Default Value	Meaning
useSessionFixationPrevention	`true`	Whether to use session fixation prevention.
sessionFixationPrevention.migrate	`true`	Whether to copy the session attributes of the existing session to the new session after login.
sessionFixationPrevention.alwaysCreateSession	`false`	Whether to always create a session even if one did not exist at the start of the request.

<< 17IP Address Restrictions

19Logout Handlers >>

18 Session Fixation Prevention - Reference Documentation

18 Session Fixation Prevention

Scripts