Fix request tracker cookie delete

Currently when stopping tracking a request the SP tried to delete the relevant cookie by setting it again with an empty value and and expired time. This doesn't work since the path doesn't match the one of the original cookie. Fixed by setting the delete cookie path using the same ACS path.
crewjam · Jan 24, 2024 · b8ee52d · b8ee52d
1 parent a32b643
commit b8ee52d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/samlsp/middleware_test.go b/samlsp/middleware_test.go
@@ -409,7 +409,7 @@ func TestMiddlewareCanParseResponse(t *testing.T) {
 
 	assert.Check(t, is.Equal("/frob", resp.Header().Get("Location")))
 	assert.Check(t, is.DeepEqual([]string{
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
+		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Path=/saml2/acs; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
 		"ttt=" + test.expectedSessionCookie + "; " +
 			"Path=/; Domain=15661444.ngrok.io; Max-Age=7200; HttpOnly; Secure"},
 		resp.Header()["Set-Cookie"]))

diff --git a/samlsp/request_tracker_cookie.go b/samlsp/request_tracker_cookie.go
@@ -67,6 +67,7 @@ func (t CookieRequestTracker) StopTrackingRequest(w http.ResponseWriter, r *http
 	cookie.Value = ""
 	cookie.Domain = t.ServiceProvider.AcsURL.Hostname()
 	cookie.Expires = time.Unix(1, 0) // past time as close to epoch as possible, but not zero time.Time{}
+	cookie.Path = t.ServiceProvider.AcsURL.Path
 	http.SetCookie(w, cookie)
 	return nil
 }