Cookie warning since play 2.6


(Felix) #1


our team has updated a play project from play 2.5 to play 2.6. We followed the migration guide for this.
Now we get spammed with a cookie warning:

decode: expired JWT found! id = null, message = JWT expired at 2018-04-08T02:12:52Z. Current time: 2018-04-08T02:17:57Z, a difference of 5409 milliseconds.  Allowed clock skew: 300000 milliseconds.

What do we have to change about cookies in play 2.6? Do we have to migrate the old cookies?


(Rich Dougherty) #2

As you know, Play changed to use JWT for its cookie implementation: The error you see looks like a legitimate complaint JWTs crypto implementation.

Can you reproduce the error? If so, how? Does every request give this warning?

(Felix) #3

I cannot really reproduct this on every request.
Here is a graph from our error logging system which shows the frequency the warning is thrown with:

It shows one great peak but it’s also showing up every day about 20 times.

(Rich Dougherty) #4

I’m guessing the JWT value in the cookie is expired as per spec. The library that Play uses for JWT decoding is throwing an error when it hits an expired JWT value. I haven’t dug into the code but I’m guessing this is a rare occurence because Play probably sets the cookie to expire at the same time as the JWT expiration, so usually expired JWT values won’t be sent by the client anyway.

FYI the session and JWT expiration is configurable in Play with play.http.session.maxAge and play.http.session.jwt.expiresAfter.

Note that the error message in the exception might have an error with its timezones:

We can probably change Play so that it swallows these exceptions instead of logging them. If you think that’s important would you mind raising an issue over on Github?