Spring Security SEC-2091: CookieClearingLogoutHandler doesn't work correctly when servlet container adds an extra '/' at the end of the contextPath

Yannis Thanasoulas (Migrated from SEC-2091) said:

ApplicationSessionCookieConfig.createSessionCookie(Context,String,boolean) method adds an '/' at the the end of the contextPath when session cookie path has a trailing '/'.

  if (context.getSessionCookiePathUsesTrailingSlash()) {
     // Handle special case of ROOT context where cookies require a path of
     // '/' but the servlet spec uses an empty string
     // Also ensure the cookies for a context with a path of /foo don't get
     // sent for requests with a path of /foobar
     if (!contextPath.endsWith("/")) {
         contextPath = contextPath + "/";
  }

In this case, CookieClearingLogoutHandler doesn't set the correct path to the cookie.

  String cookiePath = request.getContextPath();
  if(!StringUtils.hasLength(cookiePath)) {
    cookiePath = "/";
  }
  cookie.setPath(cookiePath);

A workaround for this issue is to disable sessionCookiePathUsesTrailingSlash attribute at the tomcat context as it is described at [http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context]

or by implementing a custom CookieClearingLogoutHandler

import java.util.Arrays;
import java.util.List;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;


public final class CustomCookieClearingLogoutHandler implements LogoutHandler {
    private final List<String> cookiesToClear;

    public CustomCookieClearingLogoutHandler(String... cookiesToClear) {
        Assert.notNull(cookiesToClear, "List of cookies cannot be null");
        this.cookiesToClear = Arrays.asList(cookiesToClear);
    }

    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        for (String cookieName : cookiesToClear) {
            Cookie cookie = new Cookie(cookieName, null);
            String cookiePath = request.getContextPath();
            if(!StringUtils.hasLength(cookiePath)) {
                cookiePath = "/";
            }else if (cookiePath.startsWith("/")){
                cookiePath += "/";
            }
            cookie.setPath(cookiePath);
            cookie.setMaxAge(0);
            response.addCookie(cookie);
        }
    }
}

Comment From: spring-projects-issues

Tomoyuki Ikeya said:

I faced same issue with Spring Security 3.2.7.RELEASE when I set invalidate-session-url attribute in . After logout, I got error page set as invalidate-session-url. I captured http packet and noticed that browser cookie was not cleared correctly so browser send JSESSIONID cookie when redirecting. I cannot understand why this issue is not fixed more than 2 years...

Comment From: PhoneixS

This is still a problem in Spring-Security 5.

Comment From: rwinch

This is now fixed in master, 5.0.x, and 4.2.x

Comment From: AMF1107

I'm using Spring Security 5.2.4 and the trailing / still exists

Comment From: matiaslaino

I'm on Spring Security 5.2.1 and this issue persists.

Comment From: rwinch

If you are experiencing the issue, please create a new ticket with a complete and minimal sample