Properly clean cookies with context path after logout

Closes gh-8846

web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * A logout handler which clears either - A defined list of cookie names, using the
@@ -45,7 +46,8 @@ public final class CookieClearingLogoutHandler implements LogoutHandler {
 		for (String cookieName : cookiesToClear) {
 			cookieList.add((request) -> {
 				Cookie cookie = new Cookie(cookieName, null);
-				String cookiePath = request.getContextPath() + "/";
+				String contextPath = request.getContextPath();
+				String cookiePath = StringUtils.hasText(contextPath) ? contextPath : "/";
 				cookie.setPath(cookiePath);
 				cookie.setMaxAge(0);
 				cookie.setSecure(request.isSecure());

web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -58,8 +58,7 @@ public class CookieClearingLogoutHandlerTests {
 		handler.logout(request, response, mock(Authentication.class));
 		assertThat(response.getCookies()).hasSize(2);
 		for (Cookie c : response.getCookies()) {
-			// gh-2325
-			assertThat(c.getPath()).isEqualTo("/app/");
+			assertThat(c.getPath()).isEqualTo("/app");
 			assertThat(c.getMaxAge()).isZero();
 		}
 	}