SEC-2865: Session URL rewriting being disabled should only strip JSESSIONID

[spring-projects-issues]

Rob Winch (Migrated from SEC-2865) said:

This is important so URL rewriting for something like Spring Session can take place

Things to consider:

• Users may have customized the COOKIE name (i.e. it may be a path variable other than JSESSIONID)
• Users may have path variables in their initial URL

[spring-projects-issues]

Rob Winch said:

Moving to backlog due to the fact that this is a significant new feature and we are already in RC phase

[OrangeDog]

Just to clarify, it is known that by default .sessionManagement() disables ALL rewriting?
While technically correct, rather than "disallows HTTP sessions to be included in the URL", the documentation should be clear on this.

[jzheaux]

Good point, @OrangeDog. Would you like to submit a PR with some improved documentation around this?