Properly clean cookies with context path after logout

Closes gh-8846
This commit is contained in:
AlexeyAnufriev 2021-05-12 17:59:34 +02:00 committed by Eleftheria Stein-Kousathana
parent 204a32aba8
commit baac9e0cf2
2 changed files with 6 additions and 5 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -26,6 +26,7 @@ import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/** /**
* A logout handler which clears either - A defined list of cookie names, using the * A logout handler which clears either - A defined list of cookie names, using the
@ -45,7 +46,8 @@ public final class CookieClearingLogoutHandler implements LogoutHandler {
for (String cookieName : cookiesToClear) { for (String cookieName : cookiesToClear) {
cookieList.add((request) -> { cookieList.add((request) -> {
Cookie cookie = new Cookie(cookieName, null); Cookie cookie = new Cookie(cookieName, null);
String cookiePath = request.getContextPath() + "/"; String contextPath = request.getContextPath();
String cookiePath = StringUtils.hasText(contextPath) ? contextPath : "/";
cookie.setPath(cookiePath); cookie.setPath(cookiePath);
cookie.setMaxAge(0); cookie.setMaxAge(0);
cookie.setSecure(request.isSecure()); cookie.setSecure(request.isSecure());

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -58,8 +58,7 @@ public class CookieClearingLogoutHandlerTests {
handler.logout(request, response, mock(Authentication.class)); handler.logout(request, response, mock(Authentication.class));
assertThat(response.getCookies()).hasSize(2); assertThat(response.getCookies()).hasSize(2);
for (Cookie c : response.getCookies()) { for (Cookie c : response.getCookies()) {
// gh-2325 assertThat(c.getPath()).isEqualTo("/app");
assertThat(c.getPath()).isEqualTo("/app/");
assertThat(c.getMaxAge()).isZero(); assertThat(c.getMaxAge()).isZero();
} }
} }