javasessiongetattributeveracodesession-fixation

Veracode CWE 384 Session Fixation


I'm fixing flaws found by veracode static scan and I found several flaws session fixation like these:

OWASP said I should invalidate session after logout and login but there's no login around these lines. I don't understand why it is being detected this flaw in this lines. Could you help me to understand why this is happening and how to fix it?


Solution

  • What OWASP said is right, you need to invalidate session at time of log out which is more of generic comment. As you have rightly mentioned there is no logging around these lines of code, I see you are trying to get the session to set and retrieve the values out of it.

    Would be good if you post more code to understand it in a better way.

    You can mark it as false positive in veracode (or provide fix as no fix and provide appropriate clarification for mitigation ) in case you are sure if it doesn't impact system much.