refactor(http): improve session management and CSRF protection

[innocenzi]

NOT READY FOR REVIEW. Don't mind the diff, this will be rebased on 3.x after #1819 is merged.

---

Closes #1734
Closes #1699

This pull request improves the implementation details of multiple parts of the http package, separates the "previous URL", the validation errors and the form original values from the session, and implements CSRF protection through Sec-Fetch-* headers instead of a CSRF token.

CSRF protection

I replaced the CSRF protection from a classic CSRF token approach to using Sec-Fetch-Site and Sec-Fetch-Mode, which are baseline.

This cleans up a bit of code, removes the hard-coded CSRF token from the session, removes the <x-csrf /> component and its need in <x-form>. And it's modern.

Precedents: rails/rails#56350
Discord discussion: https://discord.com/channels/1236153076688359495/1236153079603269766/1449963794515361896

Previous URL

In an effort to decouple specific feature from the Session object, I ended up with a nice isolated PreviousUrl class and kept a middleware like before.

The PreviousUrl class depends on the session and has utilities to track the previous and intended URLs:

// Saves the current URL from the request if needed
$this->previousUrl->track($request);

// Gets the previous URL, with an optional default
$this->previousUrl->get(default: '/');

// Gets the intended URL (eg. to set before a redirect to the login page), with an optional default
$this->previousUrl->getIntended(default: '/');

Validation errors and original values

In the same effort to decouple features from the Session object, I created a FormSession class, similar to the PreviousUrl class: it isolates features related to forms, their validation errors and their original values.

The HtmlExceptionRenderer introduced in #1819 is still responsible for filling the proper values when validation errors occur. The components that were using the session directly now use FormSession.

I'm not sure about this name though. I thought of HtmlFormState, or just FormState, but none of those sound particularly good.

These changes should be transparent to users unless they manually reached for Session::VALIDATION_ERRORS or $session->getErrorsFor(), which was generally not required thanks to the view components.

// get the list of failing rules for a field
$formSession->getErrorsFor('name');

// get the original value of a field before validation failure
$formSession->getOriginalValueFor('name', default: '');

Session and SessionManager

So, I was never a fan of dependency location in Session, especially given the fact that this class is meant to be serialized. My initial goal with this PR was to refactor it to make it a singleton value object and to improve performance of session managers.

Session now only holds its data and do nothing else. It doesn't have methods to save the session, destroy it or anything. Those are now the sole responsibility of SessionManager implementations, which have also been simplified.

I improved the performance of session manager by limiting their IO calls. Previously, they would load/save when retrieved and on any change. Now, they load once and save once, ad the start of the request and at the end. The ManageSessionLifecycleMiddleware middleware is responsible for the last part, but also implicitly the first part since Session is lazy-loaded using an initializer.

---

• Make Session a standalone object
  • Clean up its serialization
  • Remove dependency on SessionManager
• Make SessionManager interface more focused
• Improve performance of all session managers
  • Less IO for all managers
  • Don't save session on every change, only at the end of the request
• Decouple "previous url" feature from
• Decouple validation errors and original values (make it a HTML form-specific feature)
• Replace CSRF protection with Sec-Fetch-* implementation
• Support trusted origin config (in another PR later)