How to delete remember me Cookie with Vaadin 23

I migrated my application from vaadin 14 to vaadin 23.3.

everything works fine. after logging using spring security the “rememberme” cookie is set, so i dont have to login again when i close and open my browser. however. i am not able to remove the cookie anymore with my CookieUtil after logout. so i stay logged in all the time until i delete the cookie manually in the browser.

did something changed from vaadin 14 to 23 in terms of cookie handling?
in the vaadin documentations i was not able to find any tutorials for cookies and spring security.

here is the code i use to create and delete cookies in vaadin 14.
SPOILER_image.png

this is the cookie configuration
image.png

the logout button
image.png

ok. seems like the cookie is deleted. but the problem is the new “logout” methode from the class “com.vaadin.flow.spring.security.AuthenticationContext”

when i call “AuthenticationContext.logout” i get redirected to the tomcat root folder (localhost:8080) instead tothe application folder (localhost:8080/myapp/) which leads to this error:
image.png

If you configure your app to define the servlet context it’s deployed to, the logout should work as expected

this is the workaround i found: now the cookie is deleted and i dont get redirected to a wrong url.

    /**
     * Custom logout Method, because AuthenticationContext.logout is not working with tomcat + rememberme cookie
     */
    public static void logout() {

        HttpServletRequest request = VaadinServletRequest.getCurrent().getHttpServletRequest();
        HttpServletResponse response = VaadinServletResponse.getCurrent().getHttpServletResponse();
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        var logoutHandler = new CookieClearingLogoutHandler(SecurityConfiguration.REMEMBERME_COOKIE_NAME);

        logoutHandler.logout(request, response, auth);

        VaadinSession.getCurrent().getSession().invalidate();
    };

can you share some details. i dont know where to do this.

https://www.baeldung.com/spring-boot-context-path

it does not help. same error. now even in spring boot and not only on tomcat i see the error page after logout. but thx for trying to help.

it seems like the AuthenticationContext.logout is not working when the application is deployed on tomcat.
image.png

It depends how you add your own logout success handler, by default it just does it’s thing :wink: you can add your own by using addLogoutHandlers in your security config redirecting to the proper path if context path is to broad for you

thx for the help. i think i have it working now. will post the solution after testing.

this is my final solution:

image.png

update:

i tested again. and the “rememberme” cookie is not deleted on logout. so the user stays logged in.

still looking for a solution.

Did you delete the remember me cookie on logout? remember-me/src/main/java/org/vaadin/jchristophe/security/SecurityConfiguration.java at main · jcgueriaud1/remember-me · GitHub

( my example is using the old version of the security)

yes, i tried this already. not working in vaadin 23.3

maybe there is some problem with the context path? i am testing the app on tomcat 9.

got it working. the order of configuration was wrong. this is the working version.