Set cookie domain for cancel remember-me

Fixes gh-3871
2025-07-10 04:13:31 +00:00 · 2016-05-13 13:31:18 -05:00 · 2016-05-13 13:31:18 -05:00 · c261975be0
commit c261975be0
parent ede521dc8d
2 changed files with 9 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
@ -364,7 +364,9 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
 		Cookie cookie = new Cookie(cookieName, null);
 		cookie.setMaxAge(0);
 		cookie.setPath(getCookiePath(request));
-
+		if (cookieDomain != null) {
+			cookie.setDomain(cookieDomain);
+		}
 		response.addCookie(cookie);
 	}

--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
@ -253,6 +253,8 @@ public class AbstractRememberMeServicesTests {
 	@Test
 	public void logoutShouldCancelCookie() throws Exception {
 		MockRememberMeServices services = new MockRememberMeServices(uds);
+		services.setCookieDomain("spring.io");
+
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setContextPath("contextpath");
 		request.setCookies(createLoginCookie("cookie:1:2"));
@ -265,6 +267,10 @@ public class AbstractRememberMeServicesTests {
 		services.logout(request, response, null);

 		assertCookieCancelled(response);
+
+		Cookie returnedCookie = response.getCookie(
+				AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
+		assertThat(returnedCookie.getDomain()).isEqualTo("spring.io");
 	}

 	@Test(expected = CookieTheftException.class)