Zbigniew Ruchała (Migrated from SEC-1356) said:
AbstractRememberMeServices#extractRememberMeCookie verifies cookie only by its name but #cancelCookie or #setCookie use path as well. It leads to the problem when more than one application, deployed under different contexts, are hosted on the same machine. While cookie from app (/) is used to login into (/service), when user logout from /service cookie does not vanish (#cancelCookie sets path).
Luke Taylor said:
I've modified extractRememberMeCookie to check the path of the incoming cookie against the context path of the request, which should prevent cookies from being mixed up. If someone wants to share them, they should override the setting and extraction methods to use a less-specific path.
This change doesn't make sense, as the browser won't submit the path with the cookie. It only uses the path to decided whether to submit the cookie with a request.
I've reverted the changes for this issue. I think it will be a "won't fix". You will probably have to use different cookie names for different applications, or deploy them under separate distinct paths which don't match.