Thread on users@: "Regarding JSESSIONIDSSO Cookie maintained by tomcat" http://tomcat.markmail.org/thread/y7m6ceiusm65p5bc The code for clearing the cookie is in o.a.catalina.authenticator.SingleSignOn.invoke(...) [[[ cookie.setMaxAge(0); response.addCookie(cookie); ]]] The code for setting the cookie is in o.a.catalina.authenticator.AuthenticatorBase.register(...) I see the following issues with the code that clears the cookie in SingleSignOn.invoke(): 1). The cookie value is echoed back. To clear a cookie it should be enough to use any fixed value. (OP concerns are that Secure and HttpOnly flags are not set on the Set-Cookie header. It should not be an issue, as the value is known to be invalid, and as browser is expected to immediately remove the cookie. Still I can agree that it is not pretty). 2) The Domain and Path attributes should have the same values as for a newly created SSO cookie. (The new cookie replaces the old cookie if it has the same name, domain and path. - RFC 6265 page 24 - Chapter 5.3. Storage Model, item 11) BTW, an unrelated issue: The code in SingleSignOn.invoke() operates on the first SSO cookie that it finds. It does not expect browser to send several cookies with this name.
Fixed in 8.0.x for 8.0.10 onwards.
Fixed in 7.0.x for 7.0.55 onwards.