Fix/#3235 fixed session manage

[Limraj]

Summary by CodeRabbit

• Bug Fixes
  • Enhanced session fixation protection by creating new sessions during authentication events
  • Improved session cookie security with http-only and secure attributes to prevent unauthorized access

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

Session security configuration is enhanced across two files: session-fixation protection policy is changed from "none" to "newSession" in spring-security.xml, and session cookie security attributes (http-only and secure) are enabled in web.xml.

Changes

Cohort / File(s)	Summary
Session Security Configuration WebContent/WEB-INF/spring-security.xml	Updated session-fixation protection setting from "none" to "newSession" across multiple HTTP security configurations to generate new sessions on authentication events.
Session Cookie Security WebContent/WEB-INF/web.xml	Added cookie-config block to session-config enabling http-only and secure attributes for session cookies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• SoftQ

Poem

🐰 A rabbit hops through spring's new way,
Sessions fresh-born every day,
Cookies locked with care so keen,
Safest sessions ever seen!

Pre-merge checks

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Fix/#3235 fixed session manage' partially relates to the changeset. It references fixing session management, which aligns with the actual changes (session-fixation protection and cookie security), but is grammatically awkward ('fixed session manage' lacks proper phrasing) and lacks specificity about the actual security improvements implemented.	Revise the title to be grammatically correct and more specific, such as 'Improve session security with fixation protection and secure cookies' or 'Enable session-fixation protection and enforce secure cookie attributes'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Java Script Mocha Unit Test Results

268 tests  ±0   268 ✅ ±0   3s ⏱️ ±0s
 70 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit c61e0fc. ± Comparison against base commit 4943a13.

♻️ This comment has been updated with latest results.

[github-actions]

Java JUnit Test Results

3 440 tests  ±0   3 440 ✅ ±0   51s ⏱️ -1s
  134 suites ±0       0 💤 ±0 
  134 files   ±0       0 ❌ ±0 

Results for commit c61e0fc. ± Comparison against base commit 4943a13.

♻️ This comment has been updated with latest results.

[Limraj]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4943a13 and 9e0fc1e.

📒 Files selected for processing (2)

• WebContent/WEB-INF/spring-security.xml
• WebContent/WEB-INF/web.xml

🔇 Additional comments (2)

WebContent/WEB-INF/spring-security.xml (2)

29-29: LGTM: Session fixation protection enabled for API and service endpoints.

Changing session-fixation-protection from "none" to "newSession" is a critical security improvement that mitigates session fixation attacks. When a user authenticates, Spring Security will now create a fresh session and invalidate the old one, preventing attackers from hijacking pre-set session IDs.

This change is applied consistently across all API and service security configurations (/services/**, /httpds/**, /httpds-secure/**, /api/secure/work-items/**, /api/secure/threads/**).

Verify that no external integrations or automated clients depend on session IDs persisting across authentication events.

Also applies to: 52-52, 75-75, 98-98, 121-121

---

450-450: LGTM: Session fixation protection enabled for web application.

Enabling session-fixation-protection="newSession" for the main application security context is a best practice that prevents session fixation attacks. Combined with the logout configuration on line 451 (invalidate-session="true" delete-cookies="JSESSIONID"), this provides comprehensive session security.

Ensure that any custom session management code or third-party integrations are compatible with session regeneration on authentication.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check if spring-security.xml exists and examine HTTPS enforcement
if [ -f "WebContent/WEB-INF/spring-security.xml" ]; then
  echo "=== Paths without HTTPS enforcement in spring-security.xml ==="
  rg -n 'intercept-url' WebContent/WEB-INF/spring-security.xml | head -30
  
  echo ""
  echo "=== Count summary ==="
  echo "Total intercept-url patterns:"
  rg -c 'intercept-url' WebContent/WEB-INF/spring-security.xml
  
  echo ""
  echo "Patterns with HTTPS enforcement:"
  rg 'intercept-url.*requires-channel="https"' WebContent/WEB-INF/spring-security.xml | wc -l
else
  echo "spring-security.xml not found at WebContent/WEB-INF/spring-security.xml"
  # Try to find it
  find . -name "spring-security.xml" -type f
fi

Repository: SCADA-LTS/Scada-LTS

Length of output: 2957

---

🏁 Script executed:

# Also check web.xml context around session-config to understand full configuration
echo "=== web.xml session-config context ==="
rg -B 5 -A 10 '<session-config>' WebContent/WEB-INF/web.xml || echo "No session-config found"

# Check for any RemoteIpValve or proxy configuration
echo ""
echo "=== Checking for RemoteIpValve or proxy configuration ==="
rg -i 'remoteipvalve|x-forwarded|proxy' WebContent/WEB-INF/ || echo "No proxy valve configuration found"

Repository: SCADA-LTS/Scada-LTS

Length of output: 5370

---

🏁 Script executed:

# Get full context of HTTP/HTTPS configuration in spring-security.xml
echo "=== HTTP configuration block in spring-security.xml ==="
rg -B 3 -A 50 '<http[^-]' WebContent/WEB-INF/spring-security.xml | head -80

Repository: SCADA-LTS/Scada-LTS

Length of output: 3841

---

Critical: secure flag will break authentication over HTTP.

The <secure>true</secure> flag ensures session cookies are only transmitted over HTTPS. However, examination of spring-security.xml reveals that only 8 out of 213 intercept-url patterns enforce HTTPS—meaning 96% of application paths allow HTTP access. This includes login, logout, static assets, and WebSocket endpoints. When users access via HTTP (which is explicitly permitted), the session cookie will not be sent by the browser, breaking authentication.

No RemoteIpValve or reverse proxy HTTPS termination configuration was detected.

Required action: Choose one approach:

1. Enforce HTTPS globally by adding requires-channel="https" to all intercept-url patterns in spring-security.xml
2. Remove the secure flag if HTTP access must be supported
3. Implement HTTPS termination at a reverse proxy (nginx, Apache) and configure Tomcat's RemoteIpValve to recognize it

The <http-only>true</http-only> flag is correct and should remain.

🤖 Prompt for AI Agents

In WebContent/WEB-INF/web.xml around lines 447 to 450, the cookie-config sets
<secure>true</secure> which prevents session cookies from being sent over plain
HTTP and thus breaks authentication for most application paths; fix by choosing
one of the three actions and implement it: (A) if you want to enforce HTTPS
everywhere, update spring-security.xml to add requires-channel="https" to all
intercept-url entries (or add a global requires-channel rule) so all traffic is
HTTPS-only; (B) if HTTP must remain supported, remove the <secure>true</secure>
line from web.xml (leaving <http-only>true</http-only> intact); or (C) terminate
HTTPS at a reverse proxy and configure Tomcat’s RemoteIpValve so the app sees
requests as secure (add/configure RemoteIpValve in server.xml and ensure the
proxy forwards X-Forwarded-Proto), then keep <secure>true</secure>.