Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
-
None
Description
If a web application is installed in the root context of a servlet container, the remember-me cookie defaults to a value of "" (because that's what request.getContextPath() returns). Unfortunately, this appears to attach the cookie to the current request's URL rather than the required root, "/". The offending code is in org.jsecurity.web.attr.CookieAttribute where the onStoreValue() method does this:
String path = getPath() != null ? getPath() : request.getContextPath()
We should either always append '/' to the context path or set the cookie path to "/" if the request context path is an empty string.