From 7e6ed526031cb41abdcb2ae092a09d4d3b0f38fc Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Mon, 19 Mar 2018 16:41:27 -0500
Subject: [PATCH] CookieClearingLogoutHandler adds uses contextPath + "/"

Fixes: gh-2325
---
 .../authentication/logout/CookieClearingLogoutHandler.java  | 6 +-----
 .../logout/CookieClearingLogoutHandlerTests.java            | 3 ++-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
index 30f42dc9f2..0c172a2c09 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
@@ -22,7 +22,6 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
-import org.springframework.util.StringUtils;
 
 /**
  * A logout handler which clears a defined list of cookies, using the context path as the
@@ -43,10 +42,7 @@ public final class CookieClearingLogoutHandler implements LogoutHandler {
 			Authentication authentication) {
 		for (String cookieName : cookiesToClear) {
 			Cookie cookie = new Cookie(cookieName, null);
-			String cookiePath = request.getContextPath();
-			if (!StringUtils.hasLength(cookiePath)) {
-				cookiePath = "/";
-			}
+			String cookiePath = request.getContextPath() + "/";
 			cookie.setPath(cookiePath);
 			cookie.setMaxAge(0);
 			response.addCookie(cookie);
diff --git a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
index 2e3d95f857..7948fb1465 100644
--- a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
@@ -55,7 +55,8 @@ public class CookieClearingLogoutHandlerTests {
 		handler.logout(request, response, mock(Authentication.class));
 		assertThat(response.getCookies()).hasSize(2);
 		for (Cookie c : response.getCookies()) {
-			assertThat(c.getPath()).isEqualTo("/app");
+			// gh-2325
+			assertThat(c.getPath()).isEqualTo("/app/");
 			assertThat(c.getMaxAge()).isZero();
 		}
 	}