Issue
I use the following security configuration for my Spring boot app:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login").permitAll()
.and()
.authorizeRequests()
.antMatchers("/signup").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/login").deleteCookies("auth_code").invalidateHttpSession(true)
.and()
// We filter the api/signup requests
.addFilterBefore(
new JWTSignupFilter("/signup", authenticationManager(),
accountRepository, passwordEncoder),
UsernamePasswordAuthenticationFilter.class)
// We filter the api/login requests
.addFilterBefore(
new JWTLoginFilter("/login", authenticationManager()),
UsernamePasswordAuthenticationFilter.class)
// And filter other requests to check the presence of JWT in
// header
.addFilterBefore(new JWTAuthenticationFilter(userDetailsServiceBean()),
UsernamePasswordAuthenticationFilter.class);
}
When I do the logout, I want to delete the cookie which was set during the login. I use deleteCookie, but in the header there's no notion of deleting the cookie which was set during the login. Why ?
How should I tell the browser to delete the cookie ?
Right now, the header for the response contains :
Set-Cookie →JSESSIONID=E4060381B435217F7D68EAAE82903BB0;path=/;Secure;HttpOnly
Should I set the expiration time for the cookie to a date past the current date ?
Solution
You shouldn't need to delete the cookie. Once the session has closed on the server, the cookie can't be used anyway, and it will be replaced if the person returns. Just let it expire normally (by default, when the browser is closed).
Answered By - ThrawnCA
Answer Checked By - Katrina (JavaFixing Volunteer)
