From baac9e0cf274aec29f8b8a26f001df8e60cb1979 Mon Sep 17 00:00:00 2001
From: AlexeyAnufriev <contact@alexey-anufriev.com>
Date: Wed, 12 May 2021 17:59:34 +0200
Subject: [PATCH] Properly clean cookies with context path after logout

Closes gh-8846
---
 .../authentication/logout/CookieClearingLogoutHandler.java  | 6 ++++--
 .../logout/CookieClearingLogoutHandlerTests.java            | 5 ++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
index e47c07dce1..1ed2590024 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * A logout handler which clears either - A defined list of cookie names, using the
@@ -45,7 +46,8 @@ public final class CookieClearingLogoutHandler implements LogoutHandler {
 		for (String cookieName : cookiesToClear) {
 			cookieList.add((request) -> {
 				Cookie cookie = new Cookie(cookieName, null);
-				String cookiePath = request.getContextPath() + "/";
+				String contextPath = request.getContextPath();
+				String cookiePath = StringUtils.hasText(contextPath) ? contextPath : "/";
 				cookie.setPath(cookiePath);
 				cookie.setMaxAge(0);
 				cookie.setSecure(request.isSecure());
diff --git a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
index 4db405ae4b..b78dcb807e 100644
--- a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -58,8 +58,7 @@ public class CookieClearingLogoutHandlerTests {
 		handler.logout(request, response, mock(Authentication.class));
 		assertThat(response.getCookies()).hasSize(2);
 		for (Cookie c : response.getCookies()) {
-			// gh-2325
-			assertThat(c.getPath()).isEqualTo("/app/");
+			assertThat(c.getPath()).isEqualTo("/app");
 			assertThat(c.getMaxAge()).isZero();
 		}
 	}