SSMC Project - Spring Security 3.2.8 + csrf + sessionFixation in AppScan

I have a problem that the application is tested in appscan and show two error like. First, Session ID not updated - Insecure web application programming or configuration and Second, Cross-site request spoofing - Reject malicious requests. Cross-site request spoofing is solved with .csrf().disable() and the other (Second) not yet. Spring Security 3.2.8 + csrf + sessionFixation + WAS 8.5 + Ibm + Java + Primefaces + AppScan Session identifier not updated Severity: Medium CVSS Score: 6.4 URL: [login to view URL] Entity: [login to view URL] (Page) Risk: It is possible to steal or manipulate the client's session and cookies, which may be used to impersonate a legitimate user, allowing the hacker to view or alter the user records, and perform transactions as if you were that user Causes: Insecure web application programming or configuration Fix: Change session identifier values after login Reason: The test result seems to indicate a vulnerability because the identifiers of the session in the original Request (on the left) and in the response (on the right) are the same. They should have been updated in the answer. Cross-site request forgery Severity: Medium CVSS Score: 6.4 URL: [login to view URL] Entity: [login to view URL] (Page) Risk: It is possible to steal or manipulate the client's session and cookies, which may be used to impersonate a legitimate user, allowing the hacker to view or alter the user records, and perform transactions as if you were that user Causes: The authentication method used by the application is insufficient Fix: Reject malicious requests Reason: The test result seems to indicate the presence of a vulnerability, since the answer of the test (on the right) is identical to the original answer (on the left), indicating that Cross-Site Request Forgery attempt was successful, even though it includes a header Dummy 'referer'.