Java Concurrent Sessions Unlimited
Description
Detects when a Java Spring application fails to properly limit concurrent user sessions. Without enforcing maximum concurrent sessions, attackers can perform session fixation attacks or denial of service by creating unlimited sessions for a single user account.
Detection Strategy
• Check if Spring Security related imports are present in the application code
• Look for HttpSecurity configuration methods in the security setup code
• Verify if maximumSessions() is either not configured or set to allow unlimited sessions
• Flag configurations where session control mechanisms are absent or improperly configured to allow unlimited concurrent logins
Vulnerable code example
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
public class InsecureSessionConfig extends WebSecurityConfigurerAdapter {
private int insecureMaxSessions = 2; // Hardcoded session limit is a security risk
@Override...✅ Secure code example
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.context.annotation.Bean;
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.