Java Session Id Not Regenerated
Description
Detects session fixation vulnerabilities in Java web applications where session IDs are not regenerated after user authentication. This can allow attackers to hijack user sessions by forcing them to use a known session ID, potentially leading to unauthorized access to user accounts.
Detection Strategy
• Checks if Java Servlet HTTP libraries are imported in the application code
• Identifies login controller methods in the application
• Analyzes session management code within login controllers
• Reports a vulnerability when a login controller fails to create a new session or regenerate the session ID after successful authentication
• Specifically looks for missing calls to methods like invalidate(), getSession(true), or similar session regeneration functions in the authentication flow
Vulnerable code example
@Controller
public class VulnerableLoginController {
@PostMapping("/login")
protected void doLogin(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
String user = req.getParameter("username");...✅ Secure code example
@Controller
public class SecureLoginController {
@PostMapping("/login")
protected void doLogin(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
String user = req.getParameter("username");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.