Fix request tracker cookie delete (crewjam#549)

Currently when stopping tracking a request the SP tried to delete the relevant cookie by setting it again with an empty value and and expired time.
This doesn't work since the path doesn't match the one of the original cookie.
Fixed by setting the delete cookie path using the same ACS path.

Author: Daniel-Wachter

samlsp/middleware_test.go

@@ -409,7 +409,7 @@ func TestMiddlewareCanParseResponse(t *testing.T) {
 
 	assert.Check(t, is.Equal("/frob", resp.Header().Get("Location")))
 	assert.Check(t, is.DeepEqual([]string{
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
+		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Path=/saml2/acs; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
 		"ttt=" + test.expectedSessionCookie + "; " +
 			"Path=/; Domain=15661444.ngrok.io; Max-Age=7200; HttpOnly; Secure"},
 		resp.Header()["Set-Cookie"]))

samlsp/request_tracker_cookie.go

@@ -67,6 +67,7 @@ func (t CookieRequestTracker) StopTrackingRequest(w http.ResponseWriter, r *http
 	cookie.Value = ""
 	cookie.Domain = t.ServiceProvider.AcsURL.Hostname()
 	cookie.Expires = time.Unix(1, 0) // past time as close to epoch as possible, but not zero time.Time{}
+	cookie.Path = t.ServiceProvider.AcsURL.Path
 	http.SetCookie(w, cookie)
 	return nil
 }