From fceb3fe3e8102df24acdffb4960daa18c1fb9c51 Mon Sep 17 00:00:00 2001
From: Limraj <kamil.jarmusik@gmail.com>
Date: Tue, 30 Dec 2025 19:16:47 +0100
Subject: [PATCH 1/3] #3235 Fixed session manage: - Fixed
 session-fixation-protection, change on newSession (spring-security.xml); -
 Force http-only and secure for cookies (web.xml);

---
 WebContent/WEB-INF/spring-security.xml | 14 ++++++++------
 WebContent/WEB-INF/web.xml             |  4 ++++
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/WebContent/WEB-INF/spring-security.xml b/WebContent/WEB-INF/spring-security.xml
index 732fc40e23..7486b2eff1 100644
--- a/WebContent/WEB-INF/spring-security.xml
+++ b/WebContent/WEB-INF/spring-security.xml
@@ -26,7 +26,7 @@
 
         <custom-filter ref="xssFilter" before="FIRST"/>
         <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthFilter"/>
-        <session-management session-fixation-protection="none" />
+        <session-management session-fixation-protection="newSession" />
     </http>
 
     <http use-expressions="true" disable-url-rewriting="true" pattern="/httpds/**"
@@ -49,7 +49,7 @@
 
         <custom-filter ref="xssFilter" before="FIRST"/>
         <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthFilter"/>
-        <session-management session-fixation-protection="none" />
+        <session-management session-fixation-protection="newSession" />
     </http>
 
     <http use-expressions="true" disable-url-rewriting="true" pattern="/httpds-secure/**"
@@ -72,7 +72,7 @@
 
         <custom-filter ref="xssFilter" before="FIRST"/>
         <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthFilter"/>
-        <session-management session-fixation-protection="none"/>
+        <session-management session-fixation-protection="newSession" />
     </http>
 
     <http use-expressions="true" disable-url-rewriting="true" pattern="/api/secure/work-items/**"
@@ -95,7 +95,7 @@
 
         <custom-filter ref="xssFilter" before="FIRST"/>
         <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthFilter"/>
-        <session-management session-fixation-protection="none"/>
+        <session-management session-fixation-protection="newSession" />
     </http>
 
     <http use-expressions="true" disable-url-rewriting="true" pattern="/api/secure/threads/**"
@@ -118,7 +118,7 @@
 
         <custom-filter ref="xssFilter" before="FIRST"/>
         <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthFilter"/>
-        <session-management session-fixation-protection="none"/>
+        <session-management session-fixation-protection="newSession" />
     </http>
 
     <http use-expressions="true" disable-url-rewriting="true"
@@ -447,7 +447,9 @@
                     login-processing-url="/login.htm"/>
         <custom-filter ref="xssFilter" before="FIRST"/>
         <custom-filter after="SECURITY_CONTEXT_FILTER" ref="setDataSessionFilter" />
-        <session-management session-fixation-protection="none" />
+        <session-management session-fixation-protection="newSession" >
+            <concurrency-control max-sessions="1" />
+        </session-management>
         <logout logout-url="/logout.htm" invalidate-session="true" delete-cookies="JSESSIONID"
                 success-handler-ref="headerWriterLogoutHandler"/>
     </http>
diff --git a/WebContent/WEB-INF/web.xml b/WebContent/WEB-INF/web.xml
index 9c36167338..c717b56f11 100644
--- a/WebContent/WEB-INF/web.xml
+++ b/WebContent/WEB-INF/web.xml
@@ -444,6 +444,10 @@
   </listener>
   <session-config>
     <session-timeout>30</session-timeout>
+    <cookie-config>
+      <http-only>true</http-only>
+      <secure>true</secure>
+    </cookie-config>
   </session-config>
   <welcome-file-list>
     <welcome-file>home.jsp</welcome-file>

From 9e0fc1e7ae080d643887b28b9350cd6acc1c52a2 Mon Sep 17 00:00:00 2001
From: Limraj <kamil.jarmusik@gmail.com>
Date: Tue, 30 Dec 2025 19:18:18 +0100
Subject: [PATCH 2/3] #3235 Fixed session manage: - Corrected
 spring-security.xml

---
 WebContent/WEB-INF/spring-security.xml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/WebContent/WEB-INF/spring-security.xml b/WebContent/WEB-INF/spring-security.xml
index 7486b2eff1..527a28c3a2 100644
--- a/WebContent/WEB-INF/spring-security.xml
+++ b/WebContent/WEB-INF/spring-security.xml
@@ -447,9 +447,7 @@
                     login-processing-url="/login.htm"/>
         <custom-filter ref="xssFilter" before="FIRST"/>
         <custom-filter after="SECURITY_CONTEXT_FILTER" ref="setDataSessionFilter" />
-        <session-management session-fixation-protection="newSession" >
-            <concurrency-control max-sessions="1" />
-        </session-management>
+        <session-management session-fixation-protection="newSession" />
         <logout logout-url="/logout.htm" invalidate-session="true" delete-cookies="JSESSIONID"
                 success-handler-ref="headerWriterLogoutHandler"/>
     </http>

From c61e0fcf35b2efd41d0c5bec1581dde7b24e7750 Mon Sep 17 00:00:00 2001
From: Limraj <kamil.jarmusik@gmail.com>
Date: Tue, 30 Dec 2025 21:18:21 +0100
Subject: [PATCH 3/3] #3235 Fixed session manage: - Removed tag <secure>

---
 WebContent/WEB-INF/web.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/WebContent/WEB-INF/web.xml b/WebContent/WEB-INF/web.xml
index c717b56f11..35c42d1b2e 100644
--- a/WebContent/WEB-INF/web.xml
+++ b/WebContent/WEB-INF/web.xml
@@ -446,7 +446,6 @@
     <session-timeout>30</session-timeout>
     <cookie-config>
       <http-only>true</http-only>
-      <secure>true</secure>
     </cookie-config>
   </session-config>
   <welcome-file-list>