diff --git a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java index e47c07dce1..1ed2590024 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java +++ b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,6 +26,7 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.security.core.Authentication; import org.springframework.util.Assert; +import org.springframework.util.StringUtils; /** * A logout handler which clears either - A defined list of cookie names, using the @@ -45,7 +46,8 @@ public final class CookieClearingLogoutHandler implements LogoutHandler { for (String cookieName : cookiesToClear) { cookieList.add((request) -> { Cookie cookie = new Cookie(cookieName, null); - String cookiePath = request.getContextPath() + "/"; + String contextPath = request.getContextPath(); + String cookiePath = StringUtils.hasText(contextPath) ? contextPath : "/"; cookie.setPath(cookiePath); cookie.setMaxAge(0); cookie.setSecure(request.isSecure()); diff --git a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java index 4db405ae4b..b78dcb807e 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -58,8 +58,7 @@ public class CookieClearingLogoutHandlerTests { handler.logout(request, response, mock(Authentication.class)); assertThat(response.getCookies()).hasSize(2); for (Cookie c : response.getCookies()) { - // gh-2325 - assertThat(c.getPath()).isEqualTo("/app/"); + assertThat(c.getPath()).isEqualTo("/app"); assertThat(c.getMaxAge()).isZero(); } }