Play Session Issue

sethuram975351 · December 11, 2018, 11:26pm

I have used play 2 session configuration for authentication purpose where I send response cookie named PLAY_SESSION with username in it for signin request but the next time I send any request for accessing data from client instead of attaching the response cookie containing username it sending the cookie name PLAY_SESSION but with CSRF token in it. I am not understanding why my data part in PLAY_SESSION cookie is getting changed from username to CSRF token

marcospereira · December 18, 2018, 5:25am

Hey @sethuram975351,

Hard to know what is happening without having access to any code, or more details about the requests being made. Can you share the problematic sections of the code so that we can have an idea of what is going on?

sethuram975351 · December 18, 2018, 9:00pm

def signIn = Action { implicit request =>
  var (userName, password) = extractingParametersFromRequest(request)
  if (autheicate.loginService(userName, password, "signin")) {
    val sessionId = autheicate.randomKeyGenerator()
    val registered = autheicate.registerPrimarySessionId(userName, password, sessionId)
    if (registered)
      Ok("Legitamate User").withSession("sessionId" -> sessionId, "username" -> userName)
    else
      Status(500)("Internal Server Error -> Error in Ticket Creation")
  } else {
    Status(403)("Forbidden")
  }
}

This code creates PLAY_SESSION cookie as response cookie to sign in request where the cookie contains the sessionId and username.

sethuram975351 · December 18, 2018, 9:29pm

def initial = Action { request =>

  // Ok( Json.toJson(fileServer.listObjects()))

  // println(request.session.data)
  // println(request.cookies.get("PLAY_SESSION"))

  request.session.get("username").map { user =>
    Ok("Hello " + user).withNewSession
  }.getOrElse {
    Unauthorized("Oops, you are not connected")
  }
}

The requests to the server following sign in request always results in 403 forbidden since the session doesn’t contain username or sessionId where as it has csrf token in it.

marcospereira · December 19, 2018, 4:59pm

Hey @sethuram975351,

withNewSession creates a completely new session, discarding all the previous data. Is that what you need?

sethuram975351 · December 19, 2018, 9:22pm

No I wanted access data (username and session Id ) from the existing session. When i used request.session.get(“username”) I got NONE

marcospereira · December 19, 2018, 10:24pm

Better if you can create a small reproducer so that we can all understand the problem. And also describe the flow to reproduce the 403 result.

BnB · December 20, 2018, 6:41pm

have you checked whether

extractingParametersFromRequest(request)

is passing value in

userName

?

Topic		Replies	Views
Play 2.8 Session Issue Play Framework	2	1258	November 19, 2020
How do I get a CSRF token on the client side? Play Framework	1	1592	March 4, 2020
Session SameSite config appears not to stick Play Framework	0	1008	January 25, 2019
SESSION ISSUE on withSession method Play Framework	4	748	December 14, 2019
Setting Cookie through response Header Play Framework	3	1755	September 11, 2020

Play Session Issue

Related Topics