Certified Application Security Engineer – Java (CASE-Java) — Question 10

Which of the following Spring Security Framework configuration setting will ensure the protection from session fixation attacks by not allowing authenticated user to login again?

Answer options

• A. session-fixation-protection ="newSessionID"
• B. session-fixation-protection ="migrateSession"
• C. session-fixation-protection ="enabled"
• D. session-fixation-protection ="protectSession"

Correct answer: B

Explanation

The correct option, B (session-fixation-protection ="migrateSession"), allows the session to be re-assigned to a new session ID when a user logs in, effectively preventing session fixation attacks. Option A does not properly facilitate session migration, while C and D do not specify the necessary mechanism to change the session ID upon login.