Spring Security Allow customizing AbstractRememberMeServices cookie

Expected Behavior

Current Behavior

Context

I want to set the same-site attribute for the remember-me cookie. The servlet Cookie class exposes the setAttribute method to modify the cookie attribute. We can add setCookeAttribute to AbstractRememberMeServices or offer a post-processor style API that allows clients to modify the cookie:

363
    protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response) {
        String cookieValue = encodeCookie(tokens);
        Cookie cookie = new Cookie(this.cookieName, cookieValue);
        cookie.setMaxAge(maxAge);
        cookie.setPath(getCookiePath(request));
        if (this.cookieDomain != null) {
            cookie.setDomain(this.cookieDomain);
        }
        if (maxAge < 1) {
            cookie.setVersion(1);
        }
        cookie.setSecure((this.useSecureCookie != null) ? this.useSecureCookie : request.isSecure());
        cookie.setHttpOnly(true);

                 this.cookiePostProcessor.accept(cookie); // NEW

        response.addCookie(cookie);
    }

And the same thing for the configurer

Comment From: marcusdacoregio

Hi, @ooraini. Thanks for the suggestion.

I believe we can add something like we have in CookieCsrfTokenRepository. Would you be interested in submitting a PR that adds a new cookieCustomizer field, following what I linked above?