Play Session Issue


(Sethuram Ramalinga Reddy) #1

I have used play 2 session configuration for authentication purpose where I send response cookie named PLAY_SESSION with username in it for signin request but the next time I send any request for accessing data from client instead of attaching the response cookie containing username it sending the cookie name PLAY_SESSION but with CSRF token in it. I am not understanding why my data part in PLAY_SESSION cookie is getting changed from username to CSRF token


(Marcos Pereira) #2

Hey @sethuram975351,

Hard to know what is happening without having access to any code, or more details about the requests being made. Can you share the problematic sections of the code so that we can have an idea of what is going on?


(Sethuram Ramalinga Reddy) #3
def signIn = Action { implicit request =>
  var (userName, password) = extractingParametersFromRequest(request)
  if (autheicate.loginService(userName, password, "signin")) {
    val sessionId = autheicate.randomKeyGenerator()
    val registered = autheicate.registerPrimarySessionId(userName, password, sessionId)
    if (registered)
      Ok("Legitamate User").withSession("sessionId" -> sessionId, "username" -> userName)
    else
      Status(500)("Internal Server Error -> Error in Ticket Creation")
  } else {
    Status(403)("Forbidden")
  }
}

This code creates PLAY_SESSION cookie as response cookie to sign in request where the cookie contains the sessionId and username.


(Sethuram Ramalinga Reddy) #4
def initial = Action { request =>

  // Ok( Json.toJson(fileServer.listObjects()))

  // println(request.session.data)
  // println(request.cookies.get("PLAY_SESSION"))

  request.session.get("username").map { user =>
    Ok("Hello " + user).withNewSession
  }.getOrElse {
    Unauthorized("Oops, you are not connected")
  }
}

The requests to the server following sign in request always results in 403 forbidden since the session doesn’t contain username or sessionId where as it has csrf token in it.


(Marcos Pereira) #5

Hey @sethuram975351,

withNewSession creates a completely new session, discarding all the previous data. Is that what you need?


(Sethuram Ramalinga Reddy) #6

No I wanted access data (username and session Id ) from the existing session. When i used request.session.get(“username”) I got NONE


(Marcos Pereira) #7

Better if you can create a small reproducer so that we can all understand the problem. And also describe the flow to reproduce the 403 result.


(PSY) #8

have you checked whether

extractingParametersFromRequest(request)

is passing value in

userName

?