After this change sameSite still gets a default value of "Strict" in CookieWebSessionIdResolver but for changes to either sameSite or secure it is now expected to use addCookieInitializer(Consumer<ResponseCookie.ResponseCookieBuilder>). Issue: SPR-16418, SPR-16980