Handle cookie path correctly

AB-xdev · AB-xdev · commit bebc7bc6ba46 · 2026-04-17T10:53:26.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 2.2.2
+* oauth2-oidc-remember-me
+  * Handle cookie path correctly
+
 # 2.2.1
 * Use `ConcurrentReferenceHashMap` in favor of `Collections.synchronizedMap(new WeakHashMap<>())` to improve performance
 
diff --git a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/OAuth2CookieRememberMeServices.java b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/OAuth2CookieRememberMeServices.java
@@ -608,7 +608,7 @@ protected Cookie buildCookie(final String name, final String value)
 		cookie.setHttpOnly(true);
 		cookie.setSecure(this.cookieSecureService.isSecure());
 		cookie.setMaxAge((int)this.config.getExpiration().toSeconds());
-		cookie.setPath("/");
+		cookie.setPath(this.config.getCookiePath());
 		return cookie;
 	}
 	
@@ -691,6 +691,9 @@ protected void deleteCookie(final Cookie cookie, final HttpServletResponse respo
 	{
 		// Expire cookie
 		cookie.setMaxAge(0);
+		// Set path correctly or browser will ignore it
+		cookie.setPath(this.config.getCookiePath());
+		
 		response.addCookie(cookie);
 		
 		LOG.debug("Expiring Cookie[name='{}']", cookie.getName());
diff --git a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/config/OAuth2CookieRememberMeServicesConfig.java b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/config/OAuth2CookieRememberMeServicesConfig.java
@@ -30,6 +30,8 @@ public class OAuth2CookieRememberMeServicesConfig
 	private String payloadCookieName = "AC"; // Auth Cache
 	@NotEmpty
 	private String idCookieName = "ACID"; // Auth Cache Identifier
+	@NotEmpty
+	private String cookiePath = "/";
 	
 	@NotNull
 	private Duration expiration = Duration.ofDays(3);
@@ -76,6 +78,16 @@ public void setIdCookieName(final String idCookieName)
 		this.idCookieName = idCookieName;
 	}
 	
+	public String getCookiePath()
+	{
+		return this.cookiePath;
+	}
+	
+	public void setCookiePath(final String cookiePath)
+	{
+		this.cookiePath = cookiePath;
+	}
+	
 	public Duration getExpiration()
 	{
 		return this.expiration;
@@ -98,7 +110,7 @@ public void setMaxPerUser(final int maxPerUser)
 	
 	public OAuth2CookieRememberMeServicesCleanupScheduleConfig getCleanupSchedule()
 	{
-		return cleanupSchedule;
+		return this.cleanupSchedule;
 	}
 	
 	public void setCleanupSchedule(final OAuth2CookieRememberMeServicesCleanupScheduleConfig cleanupSchedule)
@@ -116,6 +128,8 @@ public String toString()
 			+ this.payloadCookieName
 			+ "', idCookieName='"
 			+ this.idCookieName
+			+ "', cookiePath='"
+			+ this.cookiePath
 			+ "', expiration="
 			+ this.expiration
 			+ ", maxPerUser="
