Prohibit HTTP GET parameters for jsessionid

[labkey-jeckels]

Rationale

Servers that run both HTTP and HTTPS can end up choosing to send jsessionid values as GET parameters, because they may have an HTTP cookie that set to Secure. In scenarios like this, we want to be sure that we end up redirecting the client to HTTPS. We don't want session IDs to ever leak onto the URL.

Changes

• Tell Tomcat to only use cookies for communicating sessions

Tasks 📍

• Claude Code Review
• Manual Testing @labkey-tchad
  • Configure HTTPS via application.properties
  • Enable a separate HTTP port
  • Don't have HTTP->HTTPS redirect enabled in Site Settings
  • Log in via HTTPS
  • Hit the server via HTTP
  • Ensure you don't see a session on the URL
• Test Automation
• Verify Fix

[labkey-tchad]

I don't see a jsessionid on the url anymore but I can't actually log in via HTTP. (Yes, require HTTPS is unchecked in site settings)

[labkey-jeckels]

I don't see a jsessionid on the url anymore but I can't actually log in via HTTP. (Yes, require HTTPS is unchecked in site settings)

I think that's the awkward compromise. You can still log in, but only if you're using a browser that doesn't already have the Secure setting on its session cookie.

[labkey-tchad]

I don't see a jsessionid on the url anymore but I can't actually log in via HTTP. (Yes, require HTTPS is unchecked in site settings)

I think that's the awkward compromise. You can still log in, but only if you're using a browser that doesn't already have the Secure setting on its session cookie.

Ok. I tried it in an incognito window but I probably went to HTTPS first and got the secure cookie. I was able to log in if I went straight to HTTP in a fresh incognito window.

[labkey-mohara]

I opened firefox to repro something weird I was seeing on chrome - after not using firefox for at least a few weeks.
When I logged into nightly, I got a 404 at this URL:
https://nightly.labkey.com/home/project-start.view%3Bjsessionid%3D5E9E389C60A0AA9AD3FFD06F9ADB6E96
Clicking home or opening a new browser and trying for the home again seemed to clear this problem. As far as I can tell, HTTPS is required - I'm not sure how to tell if an http port is also configured.

[labkey-jeckels]

I opened firefox to repro something weird I was seeing on chrome - after not using firefox for at least a few weeks. When I logged into nightly, I got a 404 at this URL: https://nightly.labkey.com/home/project-start.view%3Bjsessionid%3D5E9E389C60A0AA9AD3FFD06F9ADB6E96 Clicking home or opening a new browser and trying for the home again seemed to clear this problem. As far as I can tell, HTTPS is required - I'm not sure how to tell if an http port is also configured.

This must be a different sequence than the one I used to repro. You shouldn't be able to hit the instance itself on HTTP at this point - the WAF should be doing a redirect.

Regardless, @labkey-mohara @labkey-jony if you see this again in develop or 26.6+ please let me know. This change should prevent the URL approach.