Populate returnURL on Forbidden mapping for cookie auth

[blowdart]

This way a forbidden page could prompt for a new login and redirect back to the previous resource, in much the same way a login/unauthorized page does now.

[blowdart]

Adding scenario - if a user needs extra auth for sensitive operations you could, for example, check for a 2FA claim, get forbidden and then prompt for a login, redirecting back once complete.

[HaoK]

dc6e916