Use wildcard or regex in cookie name in Cookie Authentication

[lauradP]

Hi,
I need to use Cookie Authentication for my APIs, but the authentication cookie name's in my app changes every time you log in (only the cookie name prefix is known: shibsession).

I was looking for a way to specify cookies name pattern instead of the exact name. Is there such a feature?

[markcraig]

The API I'm describing has a similar problem. Although the API is the same across tenants, the cookie name depends on the tenant.

In this case, it would be helpful to be able use a template for the name, rather than just a string as indicated in https://spec.openapis.org/oas/v3.1.0#security-scheme-object.

For example:

securitySchemes:
  cookieAuth:
    type: apiKey
    description: >-
      The cookie name is a random string.
      The tenant administrator can view the string in
      Tenant Settings > Global Settings > Cookie.
    in: cookie
    # Actual name is something like: 
    #name: 46b42b4229cd7a3
    name: {tenantCookieName}

[handrews]

We're looking at adding more powerful data modeling (including for headers) and security configuration in 3.3 (after a short 3.2 that excludes more complex issues like this). I think part of the problem here is that the special treatment of Authentication (rather than modeling it like other headers) removes some features that would be useful. Another part might be that we just don't model cookies all that well in general.