KEYCLOAK_SESSION not working for some user federation setups

Describe the bug

In some cases with user federation, the ID of the user can contain some special characters. For example when configured LDAP provider with “Import Users” set to OFF and with “UUID LDAP Attribute” set to “uid” . Then when you have some user with special character in the “uid”, this is in turn used as the ID of the user. And this is saved in the KEYCLOAK_SESSION cookie:

KEYCLOAK_SESSION=**:spécial.char/**; 
KEYCLOAK_SESSION_LEGACY=***; 

The character “é” is present in the cookie name, which is not allowed by the undertow server. In the log is this (likely when accessing Keycloak from some Javascript application when the particular user with special character is logged):

ERROR [io.undertow.request] (default task-2) UT005023: Exception handling request to /auth/realms/defence-intra/protocol
/openid-connect/login-status-iframe.html: java.lang.IllegalArgumentException: UT000173: An invalid control character [233] was 
present in the cookie value or attribute

Version

19.0.1

Anything else?

For the fix, it is probably easiest to Base64Url encode the cookie KEYCLOAK_SESSION (and maybe some other related cookies, not yet sure for which of them is this applicable) to make sure that there are not special characters in these cookies.