Spring Security removing session cookie on timeout in addition to logout

Question

Spring makes removing cookies on logout entirely painless, you just add

<security:logout logout-url="/j_acegi_logout" logout-success-url="${server.environment.baseUrl}j_spring_security_logout" delete-cookies="USERPREFS"/>

Now, USERPREFS is the name of the cookie in the app that stores information for a specific user, and is set to be a session cookie only. When the user logs out, that cookie is removed, so other users won't have someone else's preferences applied. However, I noticed that in the case of a session timeout, a user could come along to the computer terminal, try to refresh the page, get redirected to the login screen, and now they're back in the app with the previous user's cookie!

Obviously when there is no cookie, the values are being supplied dynamically by the app, but to avoid a few extra db calls, I check to see if the cookie already exists in the request, and use it if it does. I can stop doing this, but it would be nice to just be able to set that cookie to also get removed when the application has to reestablish a new session, especially when the user switches

Answer 1

I believe USERPREFS is logged-in user's preferences. In that case you cannot use the value set in USERPREFS until the user logs-in. If that is the case, you should set the values from user's preferences saved on the server side when the user logs in. That way, though you have USERPREFS cookie, you don't use the value until the user logs in. When the user logs in you set the logged-in user's preferences in the cookie so that currently logged in user's preferences are used.