add preserve_path option for cookie session to not override the path

[paulbdavis]

Related issue

#296

Proposed changes

This adds a preserve_path option to the cookie_session authenticator to allow the original path specified to be used to check the session

Checklist

• I have read the contributing guidelines
• I have read the security policy
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation within the code base (if appropriate)
• I have documented my changes in the
  developer guide (if appropriate)

Further comments

You can configure as follows:

authenticators:
  cookie_session:
    enabled: true
    config:
      check_session_url: https://example.com/check-session
      preserve_path: true

With preserve_path set to true, all session check calls will go to the path specified in the check_session_url rather than replacing it

I'm not in love with the parameter name, but it's the first thing that came to mind (except using override_path instead, but I don't want to change the default behavior)

I'm also thinking that the original request path should be preserved somewhere when this is set, either as a query param (https://example.com/check-session?path=/original/path) or as a header (X-Oathkeeper-Original-Path: /original/path). Thoughts on that?

[aeneasr]

Awesome - thank you! This looks good to me :)

Could you please document this behavior here: https://github.com/ory/docs/blob/master/docs/oathkeeper/pipeline/authn.md#cookie_session