Session fixation attacks occur when an attacker can force a legitimate user to use a session ID that he knows. To avoid fixation attacks, it's a good practice to generate a new session each time a user authenticates and delete/invalidate the existing session (the one possibly known by the attacker).

Noncompliant Code Example

In a Symfony Security's context, session fixation protection can be disabled with the value none for the session_fixation_strategy attribute:

namespace Symfony\Component\DependencyInjection\Loader\Configurator;

return static function (ContainerConfigurator $container) {
    $container->extension('security', [
        'session_fixation_strategy' => 'none', // Noncompliant
    ]);
};

Compliant Solution

In a Symfony Security's context, session fixation protection is enabled by default. It can be explicitly enabled with the values migrate and invalidate for the session_fixation_strategy attribute:

namespace Symfony\Component\DependencyInjection\Loader\Configurator;

return static function (ContainerConfigurator $container) {
    $container->extension('security', [
        'session_fixation_strategy' => 'migrate', // Compliant
    ]);
};

See