navigating to spring security login page redirects to invalid-session-url

Question

In order to redirect the user to a url that I desire on session timeout I recently added the following to my spring security file....

Answer 1

I had this problem in Tomcat (not sure if only applies to it).

From Tomcat documentation (see here) we can conclude that the path generated for the session cookie has a trailing slash:

Some browsers, such as IE, will send a session cookie for a context with a path of /foo with a request to /foobar. To prevent this, Tomcat will add a trailing slash to the path associated with the session cookie so, in the above example, the cookie path becomes /foo/. However, with a cookie path of /foo/, IE will no longer send the cookie with a request to /foo. This should not be a problem unless there is a servlet mapped to /*. In this case this feature will need to be disabled. The default value for this attribute is true. To disable this feature, set the attribute to false.

On the other side, spring-security's CookieClearingLogoutHandler will generate a cookie path without the trailing slash. The set-cookie response header will be sent to the browser, but the cookie path will not match the path because the trailing slash is missing.

The browser will not clear the existing JSESSIONID cookie because the paths do not match.

I solved my problem implementing a custom implementation of the CookieClearingLogoutHandler.