From 1f6381d970d4de5c889834d97b02020c8abbfe67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Onur=20Ka=C4=9Fan=20=C3=96zcan?= Date: Mon, 13 Jan 2020 13:01:33 +0300 Subject: [PATCH] Set secure on cookie when logging out Mark cookie secure flag to ensure cookie identity is the same --- .../logout/CookieClearingLogoutHandler.java | 4 ++- .../CookieClearingLogoutHandlerTests.java | 27 ++++++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java index bbbd42afff..3f7ba8b4ff 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java +++ b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +32,7 @@ import org.springframework.util.Assert; * - A given list of Cookies * * @author Luke Taylor + * @author Onur Kagan Ozcan * @since 3.1 */ public final class CookieClearingLogoutHandler implements LogoutHandler { @@ -46,6 +47,7 @@ public final class CookieClearingLogoutHandler implements LogoutHandler { String cookiePath = request.getContextPath() + "/"; cookie.setPath(cookiePath); cookie.setMaxAge(0); + cookie.setSecure(request.isSecure()); return cookie; }; cookieList.add(f); diff --git a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java index cd35ea18ff..e67169ad0d 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,6 +27,7 @@ import org.springframework.security.core.Authentication; /** * @author Luke Taylor + * @author Onur Kagan Ozcan */ public class CookieClearingLogoutHandlerTests { @@ -61,6 +62,30 @@ public class CookieClearingLogoutHandlerTests { } } + @Test + public void configuredCookieIsSecure() { + MockHttpServletResponse response = new MockHttpServletResponse(); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setSecure(true); + request.setContextPath("/app"); + CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie"); + handler.logout(request, response, mock(Authentication.class)); + assertThat(response.getCookies()).hasSize(1); + assertThat(response.getCookies()[0].getSecure()).isTrue(); + } + + @Test + public void configuredCookieIsNotSecure() { + MockHttpServletResponse response = new MockHttpServletResponse(); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setSecure(false); + request.setContextPath("/app"); + CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie"); + handler.logout(request, response, mock(Authentication.class)); + assertThat(response.getCookies()).hasSize(1); + assertThat(response.getCookies()[0].getSecure()).isFalse(); + } + @Test public void passedInCookiesAreCleared() { MockHttpServletResponse response = new MockHttpServletResponse();