Mismatch of cookie path name between Spring Core and Spring Session

[michaelwiles]

The path name for a cookie when using Spring Session cookie management is:

<CONTEXT_PATH>/

The code is provided in DefaultCookieSerializer:

private String getCookiePath(HttpServletRequest request) {
		if (this.cookiePath == null) {
			return request.getContextPath() + "/";
		}
		return this.cookiePath;
	}

Notice how the path ends with a forward slash.

Now when I logout I want to delete this cookie:

So I configure spring security to do exactly that (the session is SESSION)

http.logout()
.defaultLogoutSuccessHandlerFor(new HttpStatusReturningLogoutSuccessHandler(), new 
     AntPathRequestMatcher("/logout"))
.deleteCookies("SESSION");

Doing this invokes the following code from CookieClearingLogoutHandler on logout (you'll see this from the source code of deleteCookies):

	public void logout(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) {
		for (String cookieName : cookiesToClear) {
			Cookie cookie = new Cookie(cookieName, null);
			String cookiePath = request.getContextPath();
			if (!StringUtils.hasLength(cookiePath)) {
				cookiePath = "/";
			}
			cookie.setPath(cookiePath);
			cookie.setMaxAge(0);
			response.addCookie(cookie);
		}
	}

Notice that the cookie path is simply set to requestContext.getContextPath()

No trailing slash.

Thus as things stand spring's logout handler does not delete the cookie as for the cookie to be deleted the paths have to match 😞

Is there a reason why spring session appends the / to the context path?
Is it possible to have this extra slash removed so it is in sync with core springs CookieClearingLogoutHandler?

[vpavic]

Thanks for the report @michaelwiles.

I see your point that DefaultCookieSerializer and CookieClearingLogoutHandler are having somewhat different handling of cookie path. Does configuring cookiePath on DefaultCookieSerializer explicitly help you as a workaround?

Ping @rwinch, can you provide more insight?

[michaelwiles]

The glory of Spring and open source is that you can always make a plan.

I couldn't really go the custom cookie path route as I did not want to hard code my context path (I guess I could have pursued this route further but found the path of least resistance on the Spring core side.

I'm using the spring security configurer to configure my cookie handling. When I found the issue I had the following code:

http is of type org.springframework.security.config.annotation.web.builders.HttpSecurity.

http.logout().deleteCookies("SESSION");

And deleteCookies does this:
addLogoutHandler(new CookieClearingLogoutHandler(cookieNamesToClear));

It is in CookieClearingLogoutHandler that actually uses the context path (and doesn't suffix the /).

So all I did was create my own CookieClearingLogoutHandler which uses the different cookie path.

[vpavic]

I stumbled upon spring-projects/spring-security#2325 recently which is effectively the issue you're reporting here.

Since it's marked as a bug at Spring Security side, I'm inclined to close this as duplicate.

[vpavic]

@michaelwiles This has been addressed via spring-projects/spring-security#2325. The fixed has been backported to 5.0.x and 4.2.x branches of Spring Security.