Prohibit HTTP GET parameters for jsessionid

[labkey-jeckels]

Rationale

Servers that run both HTTP and HTTPS can end up choosing to send jsessionid values as GET parameters, because they may have an HTTP cookie that set to Secure. In scenarios like this, we want to be sure that we end up redirecting the client to HTTPS. We don't want session IDs to ever leak onto the URL.

Changes

• Tell Tomcat to only use cookies for communicating sessions

Tasks 📍

• Claude Code Review
• Manual Testing @labkey-tchad
  • Configure HTTPS via application.properties
  • Enable a separate HTTP port
  • Don't have HTTP->HTTPS redirect enabled in Site Settings
  • Log in via HTTPS
  • Hit the server via HTTP
  • Ensure you don't see a session on the URL
• Test Automation
• Verify Fix

[labkey-tchad]

I don't see a jsessionid on the url anymore but I can't actually log in via HTTP. (Yes, require HTTPS is unchecked in site settings)

[labkey-jeckels]

I don't see a jsessionid on the url anymore but I can't actually log in via HTTP. (Yes, require HTTPS is unchecked in site settings)

I think that's the awkward compromise. You can still log in, but only if you're using a browser that doesn't already have the Secure setting on its session cookie.

[labkey-tchad]

I don't see a jsessionid on the url anymore but I can't actually log in via HTTP. (Yes, require HTTPS is unchecked in site settings)

I think that's the awkward compromise. You can still log in, but only if you're using a browser that doesn't already have the Secure setting on its session cookie.

Ok. I tried it in an incognito window but I probably went to HTTPS first and got the secure cookie. I was able to log in if I went straight to HTTP in a fresh incognito window.