There are 3 tests (NoRememberMeLoginAutoconfigured, NoRememberMeLoginMockMvcWebClientBuilder and NoRememberMeLoginManually) and only the manually configured WebClient behaves as expected.
The problem is that the WebClient stays "logged in" although the session cookie has been deleted.
This does not happen when configuring it manually (new WebClient) or when accessing the page with a browser.
I used an HandlerInterceptorAdapter to verify that the cookies are not sent for the second request. Feel free to check this again (HandlerInterceptorAdapter is included in the example project) because I might have overlooked something.
it seems the Problem is @WithAnonymousUser.
When I set it the SecurityContext will always have an AnonymousAuthenticationToken.
Everything works fine when I omit the annotation. But the secured page should normally not be accessible by an anonymous (not logged in) User. There is even a mockMvc test asserting that @WithAnonymousUser is redirected to login.