in src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java [788:823]
public void clear(HttpServletRequest request, HttpServletResponse response) {
Cookie oldCookie = null;
String oldCookieDomain = null;
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (this.cookieName.equals(cookie.getName())) {
// found the cookie
oldCookie = cookie;
} else if (this.domainCookieName.equals(cookie.getName())) {
oldCookieDomain = cookie.getValue();
if (oldCookieDomain.length() == 0) {
oldCookieDomain = null;
}
}
}
}
if (!isValidCookieDomain(request, oldCookieDomain)) {
if (!isValidCookieDomain(request, defaultCookieDomain)) {
log.warn("The client supplied domain cookie value was invalid and the configured default cookie domain is also invalid. Will try clearing the cookies without a domain instead");
oldCookieDomain = null;
} else {
log.warn("The client supplied domain cookie value was invalid. Will try clearing the cookies with the default cookie domain instead");
oldCookieDomain = defaultCookieDomain;
}
}
// remove the old cookie from the client
if (oldCookie != null) {
setCookie(request, response, this.cookieName, "", 0, oldCookieDomain);
if (oldCookieDomain != null && oldCookieDomain.length() > 0) {
setCookie(request, response, this.domainCookieName, "", 0, oldCookieDomain);
}
}
}