diff --git a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java index bbbd42afff8..3f7ba8b4ffb 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java +++ b/web/src/main/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandler.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +32,7 @@ * - A given list of Cookies * * @author Luke Taylor + * @author Onur Kagan Ozcan * @since 3.1 */ public final class CookieClearingLogoutHandler implements LogoutHandler { @@ -46,6 +47,7 @@ public CookieClearingLogoutHandler(String... cookiesToClear) { String cookiePath = request.getContextPath() + "/"; cookie.setPath(cookiePath); cookie.setMaxAge(0); + cookie.setSecure(request.isSecure()); return cookie; }; cookieList.add(f); diff --git a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java index cd35ea18ff0..e67169ad0dd 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/logout/CookieClearingLogoutHandlerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,6 +27,7 @@ /** * @author Luke Taylor + * @author Onur Kagan Ozcan */ public class CookieClearingLogoutHandlerTests { @@ -61,6 +62,30 @@ public void configuredCookiesAreCleared() { } } + @Test + public void configuredCookieIsSecure() { + MockHttpServletResponse response = new MockHttpServletResponse(); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setSecure(true); + request.setContextPath("/app"); + CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie"); + handler.logout(request, response, mock(Authentication.class)); + assertThat(response.getCookies()).hasSize(1); + assertThat(response.getCookies()[0].getSecure()).isTrue(); + } + + @Test + public void configuredCookieIsNotSecure() { + MockHttpServletResponse response = new MockHttpServletResponse(); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setSecure(false); + request.setContextPath("/app"); + CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie"); + handler.logout(request, response, mock(Authentication.class)); + assertThat(response.getCookies()).hasSize(1); + assertThat(response.getCookies()[0].getSecure()).isFalse(); + } + @Test public void passedInCookiesAreCleared() { MockHttpServletResponse response = new MockHttpServletResponse();