CSRF token not found in header, when it's in the POST body


I have a Play app set up, and all working - including CSRF filters. My form bodies have the @CSRF.formField in them, and posting the forms all works fine.

However, if the user presses back and resubmits the form (don’t ask) then they end up on an Unauthorized page.

This 2nd (or subsequent) posts of the same form data use the same csrfToken in the form body. In the logs, I see a warning saying

07:42:00.893 [application-akka.actor.default-dispatcher-2] WARN play.filters.CSRF - [CSRF] Check failed because no token found in headers for /my-post-url-here

Why does the error message say this? The csrfToken is in the form body. Yes, it may not be a valid token - but it’s there, so why is the log message complaining it can’t find the token in the headers?

Should the error say something like “CSRF token found in body was invalid” or something like that? Or am I doing something wrong in the way I’m using Play?

Thanks in advance.


1 Like