Set secure on cookie when logging out

Mark cookie secure flag to ensure cookie identity is the same
This commit is contained in:
Onur Kağan Özcan
2020-01-13 13:01:33 +03:00
committed by Eleftheria Stein-Kousathana
parent 8f1d0cf528
commit 1f6381d970
2 changed files with 29 additions and 2 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -27,6 +27,7 @@ import org.springframework.security.core.Authentication;
/**
* @author Luke Taylor
* @author Onur Kagan Ozcan
*/
public class CookieClearingLogoutHandlerTests {
@@ -61,6 +62,30 @@ public class CookieClearingLogoutHandlerTests {
}
}
@Test
public void configuredCookieIsSecure() {
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setSecure(true);
request.setContextPath("/app");
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie");
handler.logout(request, response, mock(Authentication.class));
assertThat(response.getCookies()).hasSize(1);
assertThat(response.getCookies()[0].getSecure()).isTrue();
}
@Test
public void configuredCookieIsNotSecure() {
MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setSecure(false);
request.setContextPath("/app");
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie");
handler.logout(request, response, mock(Authentication.class));
assertThat(response.getCookies()).hasSize(1);
assertThat(response.getCookies()[0].getSecure()).isFalse();
}
@Test
public void passedInCookiesAreCleared() {
MockHttpServletResponse response = new MockHttpServletResponse();