Add Base64 encoding option to DefaultCookieSerializer

[rwinch]

In order to support RFC 6265 we should consider adding Base64 encoding option to DefaultCookieSerializer since the spec states:

To maximize compatibility with user agents, servers that wish to
store arbitrary data in a cookie-value SHOULD encode that data, for
example, using Base64

NOTE:

• We must remain JDK 5 compliant, so we will likely need to copy code from Spring Security into a package private class. See Base64 and Base64Tests
• We should also be safe when decoding the value. If we get an error decoding the cookie value, we should return null. This prevents internal server errors if a user has a cookie with a non-base64 encoded value (i.e. there was a migration). Additionally, it prevents information leakage in the event a malicious user specifies an invalid value

[vpavic]

@rwinch Will take a look into this one and come up with PR.

[vpavic]

@rwinch I've created the PR (#614) to address this using the guidelines you outlined above.

However I wonder if this should be the default, rather than an option, considering it does not seem likely the Tomcat will change the default behavior?

[rwinch]

@vpavic Thanks. I don't think we can make this the default:

• This only impacts users who are leveraging both:
  • multiple sessions in a single browser
  • Tomcat 8.5 which is a small subset of users
• The change is non-passive. Specifically, all existing session cookie values will be invalid.
• Base64 encoding increases the size of the cookie rather significantly.
• Users might wish to simply change the delimiter rather than Base64 encoding. See Add CookieHttpSessionStrategy.setCookieValueDelimiter #615