Set maxAge correctly when expiring WebSession

rstoyanchev · rstoyanchev · commit 5c012bbb0cc5 · 2023-11-08T11:44:36.000Z
Closes gh-31214
diff --git a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
@@ -105,20 +105,20 @@ public List<String> resolveSessionIds(ServerWebExchange exchange) {
 	@Override
 	public void setSessionId(ServerWebExchange exchange, String id) {
 		Assert.notNull(id, "'id' is required");
-		ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge());
+		ResponseCookie cookie = initCookie(exchange, id).build();
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}
 
 	@Override
 	public void expireSession(ServerWebExchange exchange) {
-		ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO);
+		ResponseCookie cookie = initCookie(exchange, "").maxAge(0).build();
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}
 
-	private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id, Duration maxAge) {
+	private ResponseCookie.ResponseCookieBuilder initCookie(ServerWebExchange exchange, String id) {
 		ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(this.cookieName, id)
 				.path(exchange.getRequest().getPath().contextPath().value() + "/")
-				.maxAge(maxAge)
+				.maxAge(getCookieMaxAge())
 				.httpOnly(true)
 				.secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme()))
 				.sameSite("Lax");
@@ -127,7 +127,7 @@ private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id,
 			this.initializer.accept(builder);
 		}
 
-		return builder.build();
+		return builder;
 	}
 
 }
diff --git a/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java b/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
@@ -54,6 +54,15 @@ public void cookieInitializer() {
 		assertCookieValue("SESSION=123; Path=/; Domain=example.org; HttpOnly; SameSite=Strict");
 	}
 
+	@Test
+	public void expireSessionWhenMaxAgeSetViaInitializer() {
+		this.resolver.addCookieInitializer(builder -> builder.maxAge(600));
+		this.resolver.expireSession(this.exchange);
+
+		assertCookieValue("SESSION=; Path=/; Max-Age=0; " +
+				"Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Lax");
+	}
+
 	private void assertCookieValue(String expected) {
 		MultiValueMap<String, ResponseCookie> cookies = this.exchange.getResponse().getCookies();
 		assertThat(cookies).hasSize(1);

Original file line number	Diff line number	Diff line change
`@@ -105,20 +105,20 @@ public List<String> resolveSessionIds(ServerWebExchange exchange) {`
`105`	`105`	`@Override`
`106`	`106`	`public void setSessionId(ServerWebExchange exchange, String id) {`
`107`	`107`	`Assert.notNull(id, "'id' is required");`
`108`		`- ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge());`
	`108`	`+ ResponseCookie cookie = initCookie(exchange, id).build();`
`109`	`109`	`exchange.getResponse().getCookies().set(this.cookieName, cookie);`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`@Override`
`113`	`113`	`public void expireSession(ServerWebExchange exchange) {`
`114`		`- ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO);`
	`114`	`+ ResponseCookie cookie = initCookie(exchange, "").maxAge(0).build();`
`115`	`115`	`exchange.getResponse().getCookies().set(this.cookieName, cookie);`
`116`	`116`	`}`
`117`	`117`
`118`		`- private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id, Duration maxAge) {`
	`118`	`+ private ResponseCookie.ResponseCookieBuilder initCookie(ServerWebExchange exchange, String id) {`
`119`	`119`	`ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(this.cookieName, id)`
`120`	`120`	`.path(exchange.getRequest().getPath().contextPath().value() + "/")`
`121`		`- .maxAge(maxAge)`
	`121`	`+ .maxAge(getCookieMaxAge())`
`122`	`122`	`.httpOnly(true)`
`123`	`123`	`.secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme()))`
`124`	`124`	`.sameSite("Lax");`
`@@ -127,7 +127,7 @@ private ResponseCookie initSessionCookie(ServerWebExchange exchange, String id,`
`127`	`127`	`this.initializer.accept(builder);`
`128`	`128`	`}`
`129`	`129`
`130`		`- return builder.build();`
	`130`	`+ return builder;`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`}`