Add E2E tests for session security error pages and fix 401 response handling

[tjementum]

Summary & Motivation

Add end-to-end tests for two session security scenarios: session revocation detection and replay attack detection. These tests verify that users are properly redirected to context-specific error pages with appropriate messaging when their sessions are compromised.

The tests simulate real-world security scenarios:

• Session revoked from another browser shows "Session ended" message
• Replay attack detection (stolen refresh token) shows "Security alert" message

Note: The security tests are skipped on Safari because WebKit does not allow programmatic manipulation of __Host_ prefixed cookies, which is required to simulate these attack scenarios. The tests run on Chromium and Firefox.

Also remove obsolete fallback logic in AuthenticationCookieMiddleware that added SessionNotFound header to all 401 responses. This fallback was originally added when the backend did not consistently set the x-unauthorized-reason header, but is no longer needed since commit 0b7fdc2 ensures all 401 responses include the header.

• Add comprehensive E2E tests for session-revoked and replay-attack error pages with helper functions for cookie manipulation
• Remove obsolete SessionNotFound fallback from AppGateway middleware
• Update E2E tests to use button role instead of link role for error page navigation after commit bfb77c5

Checklist

• I have added tests, or done manual regression tests
• I have updated the documentation, if necessary

[linear]

PP-764 E2E tests for context-specific error pages when session is revoked

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud