Class SessionManagementConfigurer.SessionFixationConfigurer

java.lang.Object
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.SessionFixationConfigurer
Enclosing class:
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>

public final class SessionManagementConfigurer.SessionFixationConfigurer extends Object
Allows configuring SessionFixation protection
  • Constructor Details

    • SessionFixationConfigurer

      public SessionFixationConfigurer()
  • Method Details

    • newSession

      public SessionManagementConfigurer<H> newSession()
      Specifies that a new session should be created, but the session attributes from the original HttpSession should not be retained.
      Returns:
      the SessionManagementConfigurer for further customizations
    • migrateSession

      public SessionManagementConfigurer<H> migrateSession()
      Specifies that a new session should be created and the session attributes from the original HttpSession should be retained.
      Returns:
      the SessionManagementConfigurer for further customizations
    • changeSessionId

      public SessionManagementConfigurer<H> changeSessionId()
      Specifies that the Servlet container-provided session fixation protection should be used. When a session authenticates, the Servlet method HttpServletRequest#changeSessionId() is called to change the session ID and retain all session attributes.
      Returns:
      the SessionManagementConfigurer for further customizations
    • none

      Specifies that no session fixation protection should be enabled. This may be useful when utilizing other mechanisms for protecting against session fixation. For example, if application container session fixation protection is already in use. Otherwise, this option is not recommended.
      Returns:
      the SessionManagementConfigurer for further customizations