Patch base64 encoding to strip padding, and remove non-url safe characters to prevent value from being stripped/truncated in cookie (stripped =, truncated / as separator).
Problematic because initial cookie value causes requests to fail when matching body and head, but on subsequent requests, truncated value becomes cookie value used in both body and head when performing CSRF request verification.
Ensure base64 encoding does not contain cookie seps.
Strip out padding to make safe for cookie use.
+1 to merge