Spring Security Session Cookie name cannot be changed in OIDC back channel logout handler

Describe the bug In OidcBackChannelLogoutHandler.java for Spring Security 6.3.0 (and earlier), the session cookie name is hardcoded to JSESSIONID, like so:

private String sessionCookieName = "JSESSIONID";

But you actually have a setter-method for this

/**

* Use this cookie name for the session identifier. Defaults to {@code JSESSIONID}.
*
* <p>
* Note that if you are using Spring Session, this likely needs to change to SESSION.
* @param sessionCookieName the cookie name to use
*/
void setSessionCookieName(String sessionCookieName) {
    Assert.hasText(sessionCookieName, "clientSessionCookieName cannot be empty");
    this.sessionCookieName = sessionCookieName;
}

However, the setter-method is not called from OidcLogoutConfigurer.BackChannelLogoutConfigurer and is thus not configurable. It should be available like it has recently been updated with logout URI, so that I can set it in my SecurityConfig.

My specific problem is that I am using it in a Spring JDBC Session setup, which expects the cookie name to be just SESSION. You even write it in the JavaDoc for the setter-method :)

To Reproduce Running OIDC and support for backchannel logout with a Spring JDBC Session setup.

Expected behavior I can configure the cookie name in my SecurityConfig, such that the eachLogout method in OidcBackChannelLogoutHandler.java calls the logout POST request with the proper SESSION cookie name, such that the active session can be obtained in SecurityContextLogoutHandler.java in the logout-method. I expect it would look something like:

@Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http, ...) throws Exception {
        return http
                ...
                .oidcLogout(oidcLogout -> oidcLogout
                        .backChannel(backChannel -> {
                            backChannel.logoutUri(LOCAL_LOGOUT_URL);
                            backChannel.sessionCookieName("SESSION");
                        })
                )
               ...
                .build();
    }

Comment From: aelillie

Related to #14904.

Comment From: jzheaux

Thanks for reaching out @aelillie. Given that #14904 would solve your concern, I'm going to close this as a duplicate. If something else gets reported that requires looking at just the cookie name and not the logout request in general, we can reopen this.