Disable cookies for clients and public routes

[simonhir]

Describe the bug

When using the /clients or /public gateway routes you still get cookies set which is not required for both.

To Reproduce

• Call a /clients-Route (i.e. /clients/digitalwf-backend-service/rest) or /public-Route
• You get a Set-Cookie-header back with the auth and/or csrf cookie contained

Expected behavior

You can call both routes as before but there is no csrf or auth cookie set

Screenshots

Additional context

• Internal docs: https://git.muenchen.de/ccse/refarch-security/-/wikis/vorgaben/kommunikation#2-aufrufe-aus-anderen-anwendungen-immer-%C3%BCber-das-api-gateway

[darenegade]

Das scheint aktuell nicht umsetzbar:

spring-projects/spring-security#6552

https://stackoverflow.com/questions/56056404/disable-websession-creation-when-using-spring-security-with-spring-webflux/67005365#67005365

[simonhir]

Will be done within it-at-m/refarch#135