server: Purge all cookies on logout, set /client path on login (apache#4176)

This will purge all the cookies on logout including multiple sessionkey
cookies if passed. On login, this will restrict sessionkey cookie
(httponly) to the / path.

Fixes apache#4136

Co-authored-by: Pearl Dsilva <pearl.dsilva@shapeblue.com>

Author: 2 people

plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java

@@ -280,7 +280,7 @@ public static void setupSamlUserCookies(final LoginCmdResponse loginResponse, fi
             resp.addCookie(new Cookie("timezone", URLEncoder.encode(timezone, HttpUtils.UTF_8)));
         }
         resp.addCookie(new Cookie("userfullname", URLEncoder.encode(loginResponse.getFirstName() + " " + loginResponse.getLastName(), HttpUtils.UTF_8).replace("+", "%20")));
-        resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
+        resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
     }
 
     /**

server/src/main/java/com/cloud/api/ApiServlet.java

@@ -213,7 +213,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                     try {
                         responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp);
                         if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) {
-                            resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
+                            resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
                         }
                     } catch (ServerApiException e) {
                         httpResponseCode = e.getErrorCode().getHttpCode();
@@ -238,9 +238,14 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                             } catch (final IllegalStateException ignored) {
                             }
                         }
-                        Cookie sessionKeyCookie = new Cookie(ApiConstants.SESSIONKEY, "");
-                        sessionKeyCookie.setMaxAge(0);
-                        resp.addCookie(sessionKeyCookie);
+                        final Cookie[] cookies = req.getCookies();
+                        if (cookies != null) {
+                            for (final Cookie cookie : cookies) {
+                                cookie.setValue("");
+                                cookie.setMaxAge(0);
+                                resp.addCookie(cookie);
+                            }
+                        }
                     }
                     HttpUtils.writeHttpResponse(resp, responseString, httpResponseCode, responseType, ApiServer.JSONcontentType.value());
                     return;