2822 fix webinspect medium priority - persistent session

[jtimpe]

Summary of Changes

As part of #2822, resolve the medium-priority finding. Closes #2902

How to Test

cd tdrs-backend && docker-compose up
cd tdrs-frontend && docker-compose up --build

1. Set SESSION_EXPIRE_AT_BROWSER_CLOSE = False (or comment the line in settings/common.py)
2. Open http://localhost:3000/ and sign in.
3. Close the tab. Open a new tab and verify you are still logged in. Full quit the browser. Open a new window and verify you are still logged in. Log out.
4. Set SESSION_EXPIRE_AT_BROWSER_CLOSE = True (or uncomment the line in settings/common.py)
5. Close the tab. Open a new tab and verify you are still logged in. Full quit the browser. Open a new window and verify you are no longer logged in.

Deliverables

More details on how deliverables herein are assessed included here.

Deliverable 1: Accepted Features

Checklist of ACs:

• medium finding addressed without impact to sys admin api access (60 day turnaround)
• lfrohlich and/or adpennington confirmed that ACs are met.

Deliverable 2: Tested Code

• Are all areas of code introduced in this PR meaningfully tested?
  • If this PR introduces backend code changes, are they meaningfully tested?
  • If this PR introduces frontend code changes, are they meaningfully tested?
• Are code coverage minimums met?
  • Frontend coverage: [insert coverage %] (see CodeCov Report comment in PR)
  • Backend coverage: [insert coverage %] (see CodeCov Report comment in PR)

Deliverable 3: Properly Styled Code

• Are backend code style checks passing on CircleCI?
• Are frontend code style checks passing on CircleCI?
• Are code maintainability principles being followed?

Deliverable 4: Accessible

• Does this PR complete the epic?
• Are links included to any other gov-approved PRs associated with epic?
• Does PR include documentation for Raft's a11y review?
• Did automated and manual testing with iamjolly and ttran-hub using Accessibility Insights reveal any errors introduced in this PR?

Deliverable 5: Deployed

• Was the code successfully deployed via automated CircleCI process to development on Cloud.gov?

Deliverable 6: Documented

• Does this PR provide background for why coding decisions were made?
• If this PR introduces backend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces frontend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces dependencies, are their licenses documented?
• Can reviewer explain and take ownership of these elements presented in this code review?

Deliverable 7: Secure

• Does the OWASP Scan pass on CircleCI?
• Do manual code review and manual testing detect any new security issues?
• If new issues detected, is investigation and/or remediation plan documented?

Deliverable 8: User Research

Research product(s) clearly articulate(s):

• the purpose of the research
• methods used to conduct the research
• who participated in the research
• what was tested and how
• impact of research on TDP
• (if applicable) final design mockups produced for TDP development

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.44%. Comparing base (d3250a7) to head (bd8cefd).
Report is 1 commits behind head on develop.

❗ Current head bd8cefd differs from pull request most recent head 860e0e7. Consider uploading reports for the commit 860e0e7 to get more accurate results

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #2911      +/-   ##
===========================================
- Coverage    93.48%   93.44%   -0.04%     
===========================================
  Files          269      269              
  Lines         6228     6229       +1     
  Branches       523      524       +1     
===========================================
- Hits          5822     5821       -1     
  Misses         314      314              
- Partials        92       94       +2     

Flag	Coverage Δ
dev-backend	93.60% <100.00%> (-0.04%)	⬇️
dev-frontend	92.62% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
tdrs-backend/tdpservice/settings/common.py	99.24% <100.00%> (+0.01%)	⬆️

... and 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9535358...860e0e7. Read the comment docs.

[elipe17]

Works as advertised!

[ADPennington]

per async discussion on 4/8 with @jtimpe:

• SESSION_EXPIRE_AT_BROWSER_CLOSE does successfully converts persistent cookie to session cookie but also need to investigate interaction with default setting for SESSION_COOKIE_AGE

[ADPennington]

lgtm @jtimpe 🚀 test notes here

• removes expiration date from sessionid ✔️
• sessionid still works with api requests while browser open ✔️
• sessionid does not work with api requests after closing browser and 30min have elapsed ✔️