war/src/main/webapp/WEB-INF/web.xml

@@ -10,5 +10,28 @@
 
     <session-config>
         <session-timeout>480</session-timeout>
+
+        <!--
+            By default, Tomcat will use a cookie to track the session.
+            However, if there is no cookie sent by the browser it will append
+            the session id to the URL. The way it does this is by adding a
+            ";jsessionid=..." to the end. This is not a problem in itself, but
+            it can enable session hijacking if the URL is shared and ";" is
+            a blocked character by the default Spring Security configuration.
+            (see StrictHttpFirewall).
+
+            So what happens is a user navigates to SciPro. No session cookie is
+            sent since this is the first request. SciPro sees that the user is
+            not authenticated and redirects the user to the login page.
+            When SciPro checks for authentication it checks the session which
+            will instruct Tomcat to create a session. Since Tomcat sees no
+            cookie it will append the session id to the redirect URL to try and
+            track the session. After the user has logged in it is redirected
+            back to SciPro with the session id in the URL which is then blocked
+            by Spring's StrictHttpFirewall.
+
+            To avoid this, we can set the tracking mode to *only* COOKIE.
+        -->
+        <tracking-mode>COOKIE</tracking-mode>
     </session-config>
 </web-app>