Session id cookie options.
CSRF header options applied only when requests are made from browser devices.
After session creation, all subsequent requests will need to include {@link UserSessionOptions.csrf.name} header with value
{@link UserSessionOptions.csrf.value}.
This is needed for CSRF mitigation.
Lowercase name of the CSRF header.
Value of the the CSRF header.
This value will be used for comparison with the one from HTTP request.
In case they not match, an error is thrown and request will be aborted.
Lowercase name of header in the HTTP response which will contain session id.
This option is related to non-browser devices, which will receive session id via header, instead of cookies.
Decision whether is a browser on non-browser device is taked based on device property from the HTTP request object.
Notice that on further subsequent requests, session id will need to be included in the Authorization header.
Whether to set Cache-Control: no-cache="Set-Cookie, Set-Cookie2" response header for the requests that deliver access and refresh tokens to client (i.e. CookieUserSessionMiddleware.create and CookieUserSessionMiddleware.renew operations).