You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So I configure spring security to do exactly that (the session is SESSION)
http.logout()
.defaultLogoutSuccessHandlerFor(new HttpStatusReturningLogoutSuccessHandler(), new
AntPathRequestMatcher("/logout"))
.deleteCookies("SESSION");
Doing this invokes the following code from CookieClearingLogoutHandler on logout (you'll see this from the source code of deleteCookies):
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
for (String cookieName : cookiesToClear) {
Cookie cookie = new Cookie(cookieName, null);
String cookiePath = request.getContextPath();
if (!StringUtils.hasLength(cookiePath)) {
cookiePath = "/";
}
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
}
}
Notice that the cookie path is simply set to requestContext.getContextPath()
No trailing slash.
Thus as things stand spring's logout handler does not delete the cookie as for the cookie to be deleted the paths have to match 😞
Is there a reason why spring session appends the / to the context path?
Is it possible to have this extra slash removed so it is in sync with core springs CookieClearingLogoutHandler?
The text was updated successfully, but these errors were encountered:
I see your point that DefaultCookieSerializer and CookieClearingLogoutHandler are having somewhat different handling of cookie path. Does configuring cookiePath on DefaultCookieSerializer explicitly help you as a workaround?
The glory of Spring and open source is that you can always make a plan.
I couldn't really go the custom cookie path route as I did not want to hard code my context path (I guess I could have pursued this route further but found the path of least resistance on the Spring core side.
I'm using the spring security configurer to configure my cookie handling. When I found the issue I had the following code:
http is of type org.springframework.security.config.annotation.web.builders.HttpSecurity.
http.logout().deleteCookies("SESSION");
And deleteCookies does this: addLogoutHandler(new CookieClearingLogoutHandler(cookieNamesToClear));
It is in CookieClearingLogoutHandler that actually uses the context path (and doesn't suffix the /).
So all I did was create my own CookieClearingLogoutHandler which uses the different cookie path.
The path name for a cookie when using Spring Session cookie management is:
<CONTEXT_PATH>/
The code is provided in DefaultCookieSerializer:
Notice how the path ends with a forward slash.
Now when I logout I want to delete this cookie:
So I configure spring security to do exactly that (the session is SESSION)
Doing this invokes the following code from CookieClearingLogoutHandler on logout (you'll see this from the source code of deleteCookies):
Notice that the cookie path is simply set to requestContext.getContextPath()
No trailing slash.
Thus as things stand spring's logout handler does not delete the cookie as for the cookie to be deleted the paths have to match 😞
Is there a reason why spring session appends the / to the context path?
Is it possible to have this extra slash removed so it is in sync with core springs CookieClearingLogoutHandler?
The text was updated successfully, but these errors were encountered: