Is Flash cookie signed?

According to the documentation, the Session cookie is signed, but the Flash cookie is not signed.

But if I am understanding the code correctly, it appears to be signed just like the Session cookie is. In fact, if I open up the Flash cookie, modify it or sign it with a new signature, and resubmit my request with this modified JWT, I get a “io.jsonwebtoken.SignatureException”.

2019-05-15 15:21:33,303 – [warn] p.a.m.DefaultJWTCookieDataCodec - [e6e31243-778e-4287-8824-81d66fe38a09] - decode: cookie has invalid signature! message = JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
2019-05-15 15:21:33,308 – [info] p.a.m.DefaultJWTCookieDataCodec - [e6e31243-778e-4287-8824-81d66fe38a09] - The JWT signature in the cookie does not match the locally computed signature with the server.
This usually indicates the browser has a leftover cookie from another Play application,
so clearing cookies may resolve this error message.

Is the documentation incorrect? Or am I misunderstanding something?

I hope that the documentation is in fact incorrect because I basically need a signed Flash.

I am using Play 2.6.20

Here is the section from my application.conf

play {
http {
session {
cookieName = “mysessioncookie”
httpOnly = true
secure = true
isSigned = true
maxAge = 2 hours

flash {
  cookieName = "myflashcookie"

secret.key = "somekey"


This problem still exists in 2.8.8, nearly 2 years later. I can clear cookies but this is annoying. :slight_smile:

Yes, docs are incorrect. Here I fix them: Fix docs: Flash cookie is signed by mkurz · Pull Request #10818 · playframework/playframework · GitHub

Thanks Matthias!

1 Like