Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2091: CookieClearingLogoutHandler doesn't work correctly when servlet container adds an extra '/' at the end of the contextPath #2325

Closed
spring-projects-issues opened this issue Dec 10, 2012 · 6 comments

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented Dec 10, 2012

Yannis Thanasoulas (Migrated from SEC-2091) said:

ApplicationSessionCookieConfig.createSessionCookie(Context,String,boolean) method adds an '/' at the the end of the contextPath when session cookie path has a trailing '/'.

  if (context.getSessionCookiePathUsesTrailingSlash()) {
     // Handle special case of ROOT context where cookies require a path of
     // '/' but the servlet spec uses an empty string
     // Also ensure the cookies for a context with a path of /foo don't get
     // sent for requests with a path of /foobar
     if (!contextPath.endsWith("/")) {
         contextPath = contextPath + "/";
  }

In this case, CookieClearingLogoutHandler doesn't set the correct path to the cookie.

  String cookiePath = request.getContextPath();
  if(!StringUtils.hasLength(cookiePath)) {
    cookiePath = "/";
  }
  cookie.setPath(cookiePath);

A workaround for this issue is to disable sessionCookiePathUsesTrailingSlash attribute at the tomcat context as it is described at [http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context]

or by implementing a custom CookieClearingLogoutHandler

import java.util.Arrays;
import java.util.List;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;


public final class CustomCookieClearingLogoutHandler implements LogoutHandler {
    private final List<String> cookiesToClear;

    public CustomCookieClearingLogoutHandler(String... cookiesToClear) {
        Assert.notNull(cookiesToClear, "List of cookies cannot be null");
        this.cookiesToClear = Arrays.asList(cookiesToClear);
    }

    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        for (String cookieName : cookiesToClear) {
            Cookie cookie = new Cookie(cookieName, null);
            String cookiePath = request.getContextPath();
            if(!StringUtils.hasLength(cookiePath)) {
                cookiePath = "/";
            }else if (cookiePath.startsWith("/")){
                cookiePath += "/";
            }
            cookie.setPath(cookiePath);
            cookie.setMaxAge(0);
            response.addCookie(cookie);
        }
    }
}
@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Aug 31, 2015

Tomoyuki Ikeya said:

I faced same issue with Spring Security 3.2.7.RELEASE when I set invalidate-session-url attribute in .
After logout, I got error page set as invalidate-session-url. I captured http packet and noticed that browser cookie was not cleared correctly so browser send JSESSIONID cookie when redirecting.
I cannot understand why this issue is not fixed more than 2 years...

@PhoneixS
Copy link

@PhoneixS PhoneixS commented Mar 14, 2018

This is still a problem in Spring-Security 5.

@rwinch
Copy link
Member

@rwinch rwinch commented Mar 19, 2018

This is now fixed in master, 5.0.x, and 4.2.x

devefx added a commit to devefx/cas that referenced this issue May 7, 2018
Pivotal Software Spring Security : List of security vulnerabilities
Security vulnerabilities of Pivotal Software Spring Security : List of all related CVE security vulnerabilities.

CVSS Scores, vulnerability details and links to full CVE details and references.

Ref : https://www.cvedetails.com/vulnerability-list/vendor_id-15183/product_id-35566/Pivotal-Software-Spring-Security.html

There is a one security update(spring-projects/spring-security#2325), but it looks we can use 4.2.4 too.
mmoayyed pushed a commit to apereo/cas that referenced this issue May 7, 2018
Pivotal Software Spring Security : List of security vulnerabilities
Security vulnerabilities of Pivotal Software Spring Security : List of all related CVE security vulnerabilities.

CVSS Scores, vulnerability details and links to full CVE details and references.

Ref : https://www.cvedetails.com/vulnerability-list/vendor_id-15183/product_id-35566/Pivotal-Software-Spring-Security.html

There is a one security update(spring-projects/spring-security#2325), but it looks we can use 4.2.4 too.
@AMF1107
Copy link

@AMF1107 AMF1107 commented Jun 25, 2020

I'm using Spring Security 5.2.4 and the trailing / still exists

@matiaslaino
Copy link

@matiaslaino matiaslaino commented Jul 4, 2020

I'm on Spring Security 5.2.1 and this issue persists.

@rwinch
Copy link
Member

@rwinch rwinch commented Jul 7, 2020

If you are experiencing the issue, please create a new ticket with a complete and minimal sample

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants