#20334 Setting COOKIES_HTTP_ONLY=TRUE or COOKIES_SECURE_FLAG=always/https causes cookie duplication

* #20334 the domain set on the cookies on a weird path, setting to / to avoid dupes

* #20334 the domain set on the cookies on a weird path, setting to / to avoid dupes

* #20334 adding unit test for cookie

* #20334 adding the test to the MainSuite

Author: jdotcms

dotCMS/src/integration-test/java/com/dotcms/MainSuite.java

@@ -102,6 +102,7 @@
 import com.dotmarketing.util.HashBuilderTest;
 import com.dotmarketing.util.TestConfig;
 import com.liferay.portal.language.LanguageUtilTest;
+import org.apache.velocity.tools.view.tools.CookieToolTest;
 import org.junit.runner.RunWith;
 import org.junit.runners.Suite.SuiteClasses;
 
@@ -418,7 +419,8 @@
         StaticPushPublishBundleGeneratorTest.class,
         Task210520UpdateAnonymousEmailTest.class,
         Task210510UpdateStorageTableDropMetadataColumnTest.class,
-        StaticPushPublishBundleGeneratorTest.class
+        StaticPushPublishBundleGeneratorTest.class,
+        CookieToolTest.class
 })
 public class MainSuite {
 

dotCMS/src/integration-test/java/org/apache/velocity/tools/view/tools/CookieToolTest.java

@@ -0,0 +1,86 @@
+package org.apache.velocity.tools.view.tools;
+
+import com.dotmarketing.filters.CookieServletResponse;
+import org.apache.commons.lang.mutable.MutableObject;
+import org.apache.velocity.tools.view.context.ViewContext;
+import org.junit.Assert;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class CookieToolTest {
+
+    /**
+     * Method to test: {@link CookieTool#add(String, String)}
+     * Given Scenario: Adding a cookie should have the path to /
+     * ExpectedResult: The cookie path should be /
+     *
+     *
+     */
+    @Test()
+    public void test_add_cookie_success () {
+
+        final CookieTool cookieTool = new CookieTool();
+        final ViewContext context   = Mockito.mock(ViewContext.class);
+        final MutableObject cookieHolder = new MutableObject();
+        final HttpServletResponse response = new CookieServletResponse(Mockito.mock(HttpServletResponse.class), true) {
+
+            @Override
+            public void addCookie(final Cookie cookie) {
+                cookieHolder.setValue(cookie);
+            }
+        };
+        final HttpServletRequest  request  = Mockito.mock(HttpServletRequest.class);
+
+        Mockito.when(context.getResponse()).thenReturn(response);
+        Mockito.when(context.getRequest()).thenReturn(request);
+        cookieTool.init(context);
+
+        cookieTool.add("name", "value");
+        Assert.assertNotNull(cookieHolder.getValue());
+        final Cookie cookie = (Cookie) cookieHolder.getValue();
+
+        Assert.assertEquals("name", cookie.getName());
+        Assert.assertEquals("value", cookie.getValue());
+        Assert.assertEquals("/", cookie.getPath());
+    }
+
+    /**
+     * Method to test: {@link CookieTool#add(String, String, int)}
+     * Given Scenario: Adding a cookie should have the path to / and max age 1000
+     * ExpectedResult: The cookie path should be / and max age 1000
+     *
+     *
+     */
+    @Test()
+    public void test_add_cookie_max_timesuccess () {
+
+        final CookieTool cookieTool = new CookieTool();
+        final ViewContext context   = Mockito.mock(ViewContext.class);
+        final MutableObject cookieHolder = new MutableObject();
+        final HttpServletResponse response = new CookieServletResponse(Mockito.mock(HttpServletResponse.class), true) {
+
+            @Override
+            public void addCookie(final Cookie cookie) {
+                cookieHolder.setValue(cookie);
+            }
+        };
+        final HttpServletRequest  request  = Mockito.mock(HttpServletRequest.class);
+
+        Mockito.when(context.getResponse()).thenReturn(response);
+        Mockito.when(context.getRequest()).thenReturn(request);
+        cookieTool.init(context);
+
+        cookieTool.add("name", "value", 1000);
+        Assert.assertNotNull(cookieHolder.getValue());
+        final Cookie cookie = (Cookie) cookieHolder.getValue();
+
+        Assert.assertEquals("name", cookie.getName());
+        Assert.assertEquals("value", cookie.getValue());
+        Assert.assertEquals("/", cookie.getPath());
+        Assert.assertEquals(1000, cookie.getMaxAge());
+    }
+}

dotCMS/src/main/java/com/dotmarketing/filters/CookieServletResponse.java

@@ -52,7 +52,8 @@ public void addCookie(final Cookie cookie) {
         if ( SEND_COOKIES_SECURE_ALWAYS || this.requestIsSecure && SEND_COOKIES_SECURE_WHEN_HTTPS){
             cookie.setSecure(true);
         }
-        
+
+        cookie.setPath(CookieUtil.URI);
 
         super.addCookie(cookie);
     }

dotCMS/src/main/java/com/dotmarketing/util/CookieUtil.java

@@ -23,7 +23,7 @@ public class CookieUtil {
 
     public static final String ALWAYS = "always";
     public static final String HTTPS = "https";
-    private static final String URI = "/";
+    public static final String URI = "/";
     private static final int MAX_AGE_DAY_MILLIS = 60 * 60 * 24;
     public static final int DEFAULT_JWT_MAX_AGE_DAYS = 14;
 
@@ -175,4 +175,4 @@ public static void setHttpOnlyCookie(final Cookie cookie) {
  			cookie.setHttpOnly(true);			
  		}
  	} // setHttpOnlyCookie.
-}
+}

dotCMS/src/main/java/org/apache/velocity/tools/view/tools/CookieTool.java

@@ -20,6 +20,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.Cookie;
+
+import com.dotmarketing.util.CookieUtil;
 import org.apache.velocity.tools.view.context.ViewContext;
 
 /**
@@ -114,7 +116,9 @@ public Cookie get(String name)
      */
     public void add(String name, String value)
     {
-        response.addCookie(new Cookie(name, value));
+        final Cookie c = new Cookie(name, value);
+        c.setPath(CookieUtil.URI);
+        response.addCookie(c);
     }
 
 
@@ -129,7 +133,8 @@ public void add(String name, String value)
     public void add(String name, String value, int maxAge)
     {
         /* c is for cookie.  that's good enough for me. */
-        Cookie c = new Cookie(name, value);
+        final Cookie c = new Cookie(name, value);
+        c.setPath(CookieUtil.URI);
         c.setMaxAge(maxAge);
         response.addCookie(c);
     }