Set maxAge correctly when expiring WebSession

Closes gh-31214
spring-projects · Nov 8, 2023 · 5c012bb · 5c012bb
1 parent 5df6e88
commit 5c012bb
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/...-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java b/...-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
@@ -105,20 +105,20 @@ public List<String> resolveSessionIds(ServerWebExchange exchange) {
 	@Override
 	public void setSessionId(ServerWebExchange exchange, String id) {
 		Assert.notNull(id, "'id' is required");
-		ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge());
+		ResponseCookie cookie = initCookie(exchange, id).build();
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}
 
 	@Override
 	public void expireSession(ServerWebExchange exchange) {
-		ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO);
+		ResponseCookie cookie = initCookie(exchange, "").maxAge(0).build();
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}
 
-	private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id, Duration maxAge) {
+	private ResponseCookie.ResponseCookieBuilder initCookie(ServerWebExchange exchange, String id) {
 		ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(this.cookieName, id)
 				.path(exchange.getRequest().getPath().contextPath().value() + "/")
-				.maxAge(maxAge)
+				.maxAge(getCookieMaxAge())
 				.httpOnly(true)
 				.secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme()))
 				.sameSite("Lax");
@@ -127,7 +127,7 @@ private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id,
 			this.initializer.accept(builder);
 		}
 
-		return builder.build();
+		return builder;
 	}
 
 }
diff --git a/...src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java b/...src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
@@ -54,6 +54,15 @@ public void cookieInitializer() {
 		assertCookieValue("SESSION=123; Path=/; Domain=example.org; HttpOnly; SameSite=Strict");
 	}
 
+	@Test
+	public void expireSessionWhenMaxAgeSetViaInitializer() {
+		this.resolver.addCookieInitializer(builder -> builder.maxAge(600));
+		this.resolver.expireSession(this.exchange);
+
+		assertCookieValue("SESSION=; Path=/; Max-Age=0; " +
+				"Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Lax");
+	}
+
 	private void assertCookieValue(String expected) {
 		MultiValueMap<String, ResponseCookie> cookies = this.exchange.getResponse().getCookies();
 		assertThat(cookies).hasSize(1);