Add Support for Changing Session Cookie Name

Issue gh-14904

Author: jzheaux

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -5672,6 +5672,8 @@ public final class SessionLogoutConfigurer {
 
 				private String logoutUri = "{baseScheme}://localhost{basePort}/logout/connect/back-channel/{registrationId}";
 
+				private String cookieName = "SESSION";
+
 				private SessionLogoutConfigurer() {
 
 				}
@@ -5703,10 +5705,30 @@ public SessionLogoutConfigurer uri(String uri) {
 					return this;
 				}
 
+				/**
+				 * Use this cookie name to propagate the internal session identifier in
+				 * the internal logout invocation.
+				 *
+				 * <p>
+				 * This defaults to {@code JSESSIONID}.
+				 *
+				 * <p>
+				 * When using Spring Session, you may need to set this to {@code SESSION}
+				 * @param cookieName the cookie name to use
+				 * @return the
+				 * {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer.SessionLogoutConfigurer}
+				 * for further customizations
+				 */
+				public SessionLogoutConfigurer cookieName(String cookieName) {
+					this.cookieName = cookieName;
+					return this;
+				}
+
 				private ServerLogoutHandler configure() {
 					OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler();
 					logoutHandler.setSessionRegistry(OidcLogoutSpec.this.getSessionRegistry());
 					logoutHandler.setLogoutUri(this.logoutUri);
+					logoutHandler.setSessionCookieName(this.cookieName);
 					return logoutHandler;
 				}
 

config/src/test/java/org/springframework/security/config/web/server/OidcLogoutSpecTests.java

@@ -25,6 +25,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Consumer;
 
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
@@ -96,6 +97,7 @@
 import org.springframework.web.server.WebSession;
 import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
@@ -291,6 +293,29 @@ void logoutWhenSelfRemoteLogoutUriThenUses() {
 		this.test.get().uri("/token/logout").cookie("SESSION", sessionId).exchange().expectStatus().isUnauthorized();
 	}
 
+	@Test
+	void logoutWhenDifferentCookieNameThenUses() {
+		this.spring.register(OidcProviderConfig.class, CookieConfig.class).autowire();
+		String registrationId = this.clientRegistration.getRegistrationId();
+		String sessionId = login();
+		String logoutToken = this.test.get()
+			.uri("/token/logout")
+			.cookie("SESSION", sessionId)
+			.exchange()
+			.expectStatus()
+			.isOk()
+			.returnResult(String.class)
+			.getResponseBody()
+			.blockFirst();
+		this.test.post()
+			.uri(this.web.url("/logout/connect/back-channel/" + registrationId).toString())
+			.body(BodyInserters.fromFormData("logout_token", logoutToken))
+			.exchange()
+			.expectStatus()
+			.isOk();
+		this.test.get().uri("/token/logout").cookie("SESSION", sessionId).exchange().expectStatus().isUnauthorized();
+	}
+
 	@Test
 	void logoutWhenRemoteLogoutFailsThenReportsPartialLogout() {
 		this.spring.register(WebServerConfig.class, OidcProviderConfig.class, WithBrokenLogoutConfig.class).autowire();
@@ -491,6 +516,51 @@ SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
 
 	}
 
+	@Configuration
+	@EnableWebFluxSecurity
+	@Import(RegistrationConfig.class)
+	static class CookieConfig {
+
+		private final MockWebServer server = new MockWebServer();
+
+		@Bean
+		@Order(1)
+		SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
+				.oauth2Login(Customizer.withDefaults())
+				.oidcLogout((oidc) -> oidc
+					.backChannel((backchannel) -> backchannel
+						.sessionLogout((logout) -> logout.cookieName("JSESSIONID"))
+					)
+				);
+			// @formatter:on
+
+			return http.build();
+		}
+
+		@Bean
+		MockWebServer web(ObjectProvider<WebTestClient> web) {
+			WebTestClientDispatcher dispatcher = new WebTestClientDispatcher(web);
+			dispatcher.setAssertion((rr) -> {
+				String cookie = rr.getHeaders().get("Cookie");
+				if (cookie == null) {
+					return;
+				}
+				assertThat(cookie).contains("JSESSIONID");
+			});
+			this.server.setDispatcher(dispatcher);
+			return this.server;
+		}
+
+		@PreDestroy
+		void shutdown() throws IOException {
+			this.server.shutdown();
+		}
+
+	}
+
 	@Configuration
 	@EnableWebFluxSecurity
 	@Import(RegistrationConfig.class)
@@ -699,12 +769,15 @@ private static class WebTestClientDispatcher extends Dispatcher {
 
 		private WebTestClient web;
 
+		private Consumer<RecordedRequest> assertion = (rr) -> { };
+
 		WebTestClientDispatcher(ObjectProvider<WebTestClient> web) {
 			this.webProvider = web;
 		}
 
 		@Override
 		public MockResponse dispatch(RecordedRequest request) throws InterruptedException {
+			this.assertion.accept(request);
 			this.web = this.webProvider.getObject();
 			String method = request.getMethod();
 			String path = request.getPath();
@@ -747,6 +820,10 @@ public MockResponse dispatch(RecordedRequest request) throws InterruptedExceptio
 			}
 		}
 
+		void setAssertion(Consumer<RecordedRequest> assertion) {
+			this.assertion = assertion;
+		}
+
 		private String session(RecordedRequest request) {
 			String cookieHeaderValue = request.getHeader("Cookie");
 			if (cookieHeaderValue == null) {
@@ -758,6 +835,9 @@ private String session(RecordedRequest request) {
 				if (SESSION_COOKIE_NAME.equals(parts[0])) {
 					return parts[1];
 				}
+				if ("JSESSIONID".equals(parts[0])) {
+					return parts[1];
+				}
 			}
 			return null;
 		}