CSRF occurs when a user who is currently logged in has accidentally processed an unknown link or event which tries to execute a valid transaction using suspicious request parameters, which may lead to some disastrous and catastrophic effects to the database, network, or even to the system infrastructure. On the other hand, session fixation happens when a user accidentally leaves his session open after logging out, and through this idle session an exploit happens because someone maliciously uses the existing session ID and variables to execute unwanted transactions. Invalidating sessions does not guarantee a solution to session fixation attacks; thus, this recipe will explain how Spring Security can protect Spring MVC applications from these two vulnerabilities.