From d05fc2ed9c722f1bfc9fd5009702b0ee3ce0c6ec Mon Sep 17 00:00:00 2001 From: Juergen Hoeller Date: Tue, 31 Mar 2015 09:59:55 +0200 Subject: [PATCH] CookieGenerator explicitly sets 'secure' and 'httpOnly' flags in removeCookie as well Issue: SPR-12865 --- .../org/springframework/web/util/CookieGenerator.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java b/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java index 2768278ad1..9e3ba5c08b 100644 --- a/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java +++ b/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2015 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -203,6 +203,12 @@ public class CookieGenerator { Assert.notNull(response, "HttpServletResponse must not be null"); Cookie cookie = createCookie(""); cookie.setMaxAge(0); + if (isCookieSecure()) { + cookie.setSecure(true); + } + if (isCookieHttpOnly()) { + cookie.setHttpOnly(true); + } response.addCookie(cookie); if (logger.isDebugEnabled()) { logger.debug("Removed cookie with name [" + getCookieName() + "]");