From 5c012bbb0cc5bc7c7e44b83fa3e3e737d0eebb34 Mon Sep 17 00:00:00 2001
From: rstoyanchev <rstoyanchev@vmware.com>
Date: Mon, 6 Nov 2023 11:44:51 +0000
Subject: [PATCH] Set maxAge correctly when expiring WebSession

Closes gh-31214
---
 .../web/server/session/CookieWebSessionIdResolver.java | 10 +++++-----
 .../session/CookieWebSessionIdResolverTests.java       |  9 +++++++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
index f355abada846..df661f2e9355 100644
--- a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
+++ b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
@@ -105,20 +105,20 @@ public List<String> resolveSessionIds(ServerWebExchange exchange) {
 	@Override
 	public void setSessionId(ServerWebExchange exchange, String id) {
 		Assert.notNull(id, "'id' is required");
-		ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge());
+		ResponseCookie cookie = initCookie(exchange, id).build();
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}
 
 	@Override
 	public void expireSession(ServerWebExchange exchange) {
-		ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO);
+		ResponseCookie cookie = initCookie(exchange, "").maxAge(0).build();
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}
 
-	private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id, Duration maxAge) {
+	private ResponseCookie.ResponseCookieBuilder initCookie(ServerWebExchange exchange, String id) {
 		ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(this.cookieName, id)
 				.path(exchange.getRequest().getPath().contextPath().value() + "/")
-				.maxAge(maxAge)
+				.maxAge(getCookieMaxAge())
 				.httpOnly(true)
 				.secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme()))
 				.sameSite("Lax");
@@ -127,7 +127,7 @@ private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id,
 			this.initializer.accept(builder);
 		}
 
-		return builder.build();
+		return builder;
 	}
 
 }
diff --git a/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java b/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
index cf1deb1c1c8c..c1c37caeae09 100644
--- a/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
+++ b/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
@@ -54,6 +54,15 @@ public void cookieInitializer() {
 		assertCookieValue("SESSION=123; Path=/; Domain=example.org; HttpOnly; SameSite=Strict");
 	}
 
+	@Test
+	public void expireSessionWhenMaxAgeSetViaInitializer() {
+		this.resolver.addCookieInitializer(builder -> builder.maxAge(600));
+		this.resolver.expireSession(this.exchange);
+
+		assertCookieValue("SESSION=; Path=/; Max-Age=0; " +
+				"Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Lax");
+	}
+
 	private void assertCookieValue(String expected) {
 		MultiValueMap<String, ResponseCookie> cookies = this.exchange.getResponse().getCookies();
 		assertThat(cookies).hasSize(1);