Add CookieHttpSessionStrategy.setCookieValueDelimiter

[rwinch]

Currently the session alias and the session id's are always delimited by " ". It would be nice to allow users to inject their own delimiter to work around issues caused by Tomcat 8.5 using RFC-6265 (i.e. #605)

Example Usage

This demonstrates how to migrate from a delimiter of " " to a new delimiter of "_" which is compliant with RFC 6265 and still read old cookie values.

@Bean
public CookieHttpSessionStrategy strategy() {
    CookieHttpSessionStrategy strategy = new CookieHttpSessionStrategy();
    strategy.setDeserializationDelimiter("_ ");
    strategy.setSerializationDelimiter("_");
    return strategy;
}

// necessary to ensure you can still read the value if using Tomcat 8.5
@Bean
public EmbeddedServletContainerCustomizer customizer() {
    return container -> {
        if (container instanceof TomcatEmbeddedServletContainerFactory) {
            TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
            tomcat.addContextCustomizers(context -> context.setCookieProcessor(new LegacyCookieProcessor()));
        }
    };
}

Users should:

• Have the above code deployed for at least the length of time a session is valid. This will ensure that all new sessions are created with the new delimiter and are parsed with both the old delimiter and the new delimiter
• Ensure that something (i.e. a servlet Filter) rewrites existing cookies with the new delimiter. This is necessary because Spring Session only writes new sessions as a Cookie, so the configuration only ensures new sessions are correct.
• Afterwards, all sessions should be in the new format, so the customization to Tomcat can be removed