I'm using spring boot with a custom logout success handler. I want to print a custom message on the login screen depending on why they were logged out.
@Component
public class LogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
if(request.getParameter("emailchange") != null) {
setDefaultTargetUrl("/signin?m=Your%20email%20address%20has%20been%20changed,%20please%20re-login.");
}
else if(request.getParameter("passwordchange") != null) {
setDefaultTargetUrl("/signin?m=Your%20password%20has%20been%20changed,%20please%20re-login.");
}
else {
setDefaultTargetUrl("/signin?m=You%20have%20been%20logged%20out.");
}
super.onLogoutSuccess(request, response, authentication);
}
}
My security is configured as follows:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin/authenticate")
.failureUrl("/signin?login_error=t")
.defaultSuccessUrl("/dashboard")
.permitAll()
.and()
.logout()
.logoutUrl("/signout")
.logoutSuccessHandler(logoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.sessionAuthenticationStrategy(new RegisterSessionAuthenticationStrategy(sessionRegistry))
.and()
.rememberMe()
.key("myrememberkey")
.rememberMeServices(rememberMeServices)
.and()
.requestCache()
.requestCache(requestCache)
.and()
.httpBasic()
.disable()
;
}
<form id="logout-form" action="<c:url value="/signout"/>" method="POST"><input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/><a href="#" onclick="document.getElementById('logout-form').submit();"><i class="fa fa-power-off"></i> Logout</a></form>
When I logout with a POST (I'm using csrf), my LogoutSuccessHandler is called, and the JSESSIONID cookie header shows that it should be deleted. This comes back as a 302 redirect with the correct url that was set from LogoutSuccessHandler.
The browser then attempts to load /signin?m=You%20have%20been%20logged%20out but it re-sends the OLD cookie that was supposedly deleted in the 302 response from POST /signout. This causes another re-direct (since the JSESSION cookie we sent has been invalidated) and then we lose my pretty message. Any ideas on how I can prevent this behavior or ensure the browser deletes cookies properly on a 302 redirect in response to a POST request? I've tested on the latest Firefox and Chrome and the behavior is the same.
