Is Flash cookie signed?

(Osbornk) #1

According to the documentation, the Session cookie is signed, but the Flash cookie is not signed.

https://www.playframework.com/documentation/2.6.x/ScalaSessionFlash#Flash-scope

But if I am understanding the code correctly, it appears to be signed just like the Session cookie is. In fact, if I open up the Flash cookie, modify it or sign it with a new signature, and resubmit my request with this modified JWT, I get a “io.jsonwebtoken.SignatureException”.

2019-05-15 15:21:33,303 – [warn] p.a.m.DefaultJWTCookieDataCodec - [e6e31243-778e-4287-8824-81d66fe38a09] - decode: cookie has invalid signature! message = JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
2019-05-15 15:21:33,308 – [info] p.a.m.DefaultJWTCookieDataCodec - [e6e31243-778e-4287-8824-81d66fe38a09] - The JWT signature in the cookie does not match the locally computed signature with the server.
This usually indicates the browser has a leftover cookie from another Play application,
so clearing cookies may resolve this error message.

Is the documentation incorrect? Or am I misunderstanding something?

I hope that the documentation is in fact incorrect because I basically need a signed Flash.

I am using Play 2.6.20

Here is the section from my application.conf

play {
http {
session {
cookieName = “mysessioncookie”
httpOnly = true
secure = true
isSigned = true
maxAge = 2 hours
}

flash {
  cookieName = "myflashcookie"
}

secret.key = "somekey"

}
}