Set maxAge correctly when expiring WebSession

Closes gh-31214
2023-11-06 11:44:51 +00:00 · 2023-11-06 11:44:51 +00:00 · 5c012bbb0c
parent 5df6e8825d
commit 5c012bbb0c
2 changed files with 14 additions and 5 deletions
--- a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
+++ b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
@ -105,20 +105,20 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {
 	@Override
 	public void setSessionId(ServerWebExchange exchange, String id) {
 		Assert.notNull(id, "'id' is required");
-		ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge());
+		ResponseCookie cookie = initCookie(exchange, id).build();
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}

 	@Override
 	public void expireSession(ServerWebExchange exchange) {
-		ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO);
+		ResponseCookie cookie = initCookie(exchange, "").maxAge(0).build();
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}

-	private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id, Duration maxAge) {
+	private ResponseCookie.ResponseCookieBuilder initCookie(ServerWebExchange exchange, String id) {
 		ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(this.cookieName, id)
 				.path(exchange.getRequest().getPath().contextPath().value() + "/")
-				.maxAge(maxAge)
+				.maxAge(getCookieMaxAge())
 				.httpOnly(true)
 				.secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme()))
 				.sameSite("Lax");
@ -127,7 +127,7 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {
 			this.initializer.accept(builder);
 		}

-		return builder.build();
+		return builder;
 	}

 }
--- a/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
+++ b/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
@ -54,6 +54,15 @@ public class CookieWebSessionIdResolverTests {
 		assertCookieValue("SESSION=123; Path=/; Domain=example.org; HttpOnly; SameSite=Strict");
 	}

+	@Test
+	public void expireSessionWhenMaxAgeSetViaInitializer() {
+		this.resolver.addCookieInitializer(builder -> builder.maxAge(600));
+		this.resolver.expireSession(this.exchange);
+
+		assertCookieValue("SESSION=; Path=/; Max-Age=0; " +
+				"Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Lax");
+	}
+
 	private void assertCookieValue(String expected) {
 		MultiValueMap<String, ResponseCookie> cookies = this.exchange.getResponse().getCookies();
 		assertThat(cookies).hasSize(1);