server: Purge all cookies on logout, set /client path on login (#4176)

This will purge all the cookies on logout including multiple sessionkey cookies if passed. On login, this will restrict sessionkey cookie (httponly) to the / path. Fixes #4136 Co-authored-by: Pearl Dsilva <pearl.dsilva@shapeblue.com>
2020-07-08 08:03:51 +05:30 · 2020-07-08 08:03:51 +05:30 · 139aa13e6a
parent 4da374b6b4
commit 139aa13e6a
2 changed files with 10 additions and 5 deletions
--- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
+++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
@ -280,7 +280,7 @@ public class SAMLUtils {
            resp.addCookie(new Cookie("timezone", URLEncoder.encode(timezone, HttpUtils.UTF_8)));
        }
        resp.addCookie(new Cookie("userfullname", URLEncoder.encode(loginResponse.getFirstName() + " " + loginResponse.getLastName(), HttpUtils.UTF_8).replace("+", "%20")));
-        resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
+        resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
    }

    /**
--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@ -213,7 +213,7 @@ public class ApiServlet extends HttpServlet {
                    try {
                        responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp);
                        if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) {
-                            resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
+                            resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
                        }
                    } catch (ServerApiException e) {
                        httpResponseCode = e.getErrorCode().getHttpCode();
@ -238,9 +238,14 @@ public class ApiServlet extends HttpServlet {
                            } catch (final IllegalStateException ignored) {
                            }
                        }
-                        Cookie sessionKeyCookie = new Cookie(ApiConstants.SESSIONKEY, "");
-                        sessionKeyCookie.setMaxAge(0);
-                        resp.addCookie(sessionKeyCookie);
+                        final Cookie[] cookies = req.getCookies();
+                        if (cookies != null) {
+                            for (final Cookie cookie : cookies) {
+                                cookie.setValue("");
+                                cookie.setMaxAge(0);
+                                resp.addCookie(cookie);
+                            }
+                        }
                    }
                    HttpUtils.writeHttpResponse(resp, responseString, httpResponseCode, responseType, ApiServer.JSONcontentType.value());
                    return;