fix 2fa session

core/src/main/java/de/bstly/we/security/SecurityConfig.java

@@ -95,9 +95,7 @@ public class SecurityConfig {
 				.sessionManagement((anonymous) -> anonymous.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
 						.sessionAuthenticationStrategy(new SessionFixationProtectionStrategy()))
 				// disable deprectated xss protection, x-frame
-				.headers((headers) -> headers.xssProtection((xssProtection) -> xssProtection.disable())
-						.frameOptions((frameOptions) -> frameOptions.disable()
-								.referrerPolicy((referrerPolicy) -> referrerPolicy.policy(ReferrerPolicy.UNSAFE_URL))))
+				.headers((headers) -> headers.xssProtection((xssProtection) -> xssProtection.disable()))
 				// form login
 				.formLogin((formLogin) -> formLogin.loginPage(loginUrl).usernameParameter("username")
 						.passwordParameter("password")
@@ -119,8 +117,13 @@ public class SecurityConfig {
 				.exceptionHandling(
 						(exceptionHandling) -> exceptionHandling.accessDeniedHandler(localAccessDeniedHandler)
 								.authenticationEntryPoint(localAuthenticationEntryPoint()))
+				// x-frame
+				.headers((headers) -> headers.frameOptions((frameOptions) -> frameOptions.disable()
+						.referrerPolicy((referrerPolicy) -> referrerPolicy.policy(ReferrerPolicy.UNSAFE_URL))))
 				// crsf
-				.csrf((csrf) -> csrf.disable());
+				.csrf((csrf) -> csrf.disable())
+				// TODO: update
+				.securityContext((securityContext) -> securityContext.requireExplicitSave(false));
 
 		if (disableCors) {
 			http.cors((cors) -> cors.disable());