Description
Context:
With OPT-1929, some CRSF protection has been implemented. However, the secure flag of the Optimize auth cookie is only added if the http endpoint is disabled. This is very counterintuitive. We should also set the secure flag for the https connection.
AT:
- the is cookie secure flag is always set for the HTTPS Optimize endpoint
- all the cookie flags that are tested for HTTP and HTTPS endpoint
- the documentation is adjusted that it still recommends disabling HTTP but does not mention the cookie part any longer.
Hint:
- currently we don't test that the cookie flags are set for the https endpoint
- we should not set the cookie filter using the jetty filter feature but rather do it with the CookiePatternRule similar to how we've done it with the HeaderPatternRule in OPT-3248. So some clean up is necessary here.