Spring Security Enhance the BackChannelLogoutConfigurer to make the session cookie name configurable.

Expected Behavior

The BackChannelLogoutConfigurer should make the session cookie name for the OidcBackChannelLogoutHandler configurable.

Current Behavior In Spring Security 6.3.1, the cookie name can only be customized by calling the handler's setter method. The default cookie name is JSESSIONID.

Context My application currently uses Spring Session, and the session cookie name is SESSION, which differs from the default value JSESSIONID. To address this, I have adapted the default Spring Session cookie name by applying the CookieSerializer. Alternatively, I could modify the cookie name by using the handler's public setter method, but the best solution would be to make it configurable by the BackChannelLogoutConfigurer.

Comment From: jzheaux

Thanks for reaching out, @f1l2. This will be addressed by https://github.com/spring-projects/spring-security/issues/14904, so I'll close this as a duplicate. If it feels like this is different than that ticket, please let me know and we can reopen.