Session Fixation

This post is over a year old, some of this information may be out of date.

Servlet 3.0 and lower

Copy the required data from the old session
Invalidate the old session - httpServletRequest.getSession(false).invalidate();
Create a new session, which is assigned a different JSESSIONID - getSession()
Save the copied data from the old session in the new session.

Source code at here : https://stackoverflow.com/a/44065501/970200

Servlet 3.1 and higher

httpServletRequest.changeSessionId();

Spring Security

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.sessionManagement().sessionFixation().newSession();
    }

    …
}

References

Good explanation on Session fixation attack prevention https://t.co/sZ1LQXXzrx
— Ian Lim (@mallim) June 18, 2019

Milestones: How to change Session ID after a successful login https://t.co/9mjjzaZEbD
— Ian Lim (@mallim) June 18, 2019