From 139aa13e6ab6af1a871094cdae7607f00291d6e8 Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Wed, 8 Jul 2020 08:03:51 +0530
Subject: [PATCH] server: Purge all cookies on logout, set /client path on
 login (#4176)

This will purge all the cookies on logout including multiple sessionkey
cookies if passed. On login, this will restrict sessionkey cookie
(httponly) to the / path.

Fixes #4136

Co-authored-by: Pearl Dsilva <pearl.dsilva@shapeblue.com>
---
 .../java/org/apache/cloudstack/saml/SAMLUtils.java  |  2 +-
 server/src/main/java/com/cloud/api/ApiServlet.java  | 13 +++++++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
index 6110cc52288..6a03d444115 100644
--- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
+++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
@@ -280,7 +280,7 @@ public class SAMLUtils {
             resp.addCookie(new Cookie("timezone", URLEncoder.encode(timezone, HttpUtils.UTF_8)));
         }
         resp.addCookie(new Cookie("userfullname", URLEncoder.encode(loginResponse.getFirstName() + " " + loginResponse.getLastName(), HttpUtils.UTF_8).replace("+", "%20")));
-        resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
+        resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
     }
 
     /**
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
index 4002ff8d99b..c42980bf695 100644
--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -213,7 +213,7 @@ public class ApiServlet extends HttpServlet {
                     try {
                         responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp);
                         if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) {
-                            resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
+                            resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
                         }
                     } catch (ServerApiException e) {
                         httpResponseCode = e.getErrorCode().getHttpCode();
@@ -238,9 +238,14 @@ public class ApiServlet extends HttpServlet {
                             } catch (final IllegalStateException ignored) {
                             }
                         }
-                        Cookie sessionKeyCookie = new Cookie(ApiConstants.SESSIONKEY, "");
-                        sessionKeyCookie.setMaxAge(0);
-                        resp.addCookie(sessionKeyCookie);
+                        final Cookie[] cookies = req.getCookies();
+                        if (cookies != null) {
+                            for (final Cookie cookie : cookies) {
+                                cookie.setValue("");
+                                cookie.setMaxAge(0);
+                                resp.addCookie(cookie);
+                            }
+                        }
                     }
                     HttpUtils.writeHttpResponse(resp, responseString, httpResponseCode, responseType, ApiServer.JSONcontentType.value());
                     return;