Session SameSite config appears not to stick


(Jaylyn Stoesz) #1

Hi all,
I am attempting to set a session cookie from a live Play 2.6 application for a decoupled UI being developed on localhost:3000. The cookie gets set successfully, but does not get sent back to the live Play application on subsequent requests. As far as I can tell from messing with the CORS header config, etc. the problem seems to lie with the SameSite parameter on the Set-Cookie header containing the session token (an older application running on Play 2.4 does not have this parameter and allows requests from localhost, all other settings being equal).
Per the documentation, my session config looks like this, but is still sending the SameSite=Lax parameter:

session {
  secure = false
  domain = null
  sameSite = null
}

Can someone please tell me if I’m missing something?

Thanks!

UPDATE: it’s because the session object needs to be nested under play.http.session. The sample structure in the documentation needs to be updated as of this post.