I have used play 2 session configuration for authentication purpose where I send response cookie named PLAY_SESSION with username in it for signin request but the next time I send any request for accessing data from client instead of attaching the response cookie containing username it sending the cookie name PLAY_SESSION but with CSRF token in it. I am not understanding why my data part in PLAY_SESSION cookie is getting changed from username to CSRF token
Hey @sethuram975351,
Hard to know what is happening without having access to any code, or more details about the requests being made. Can you share the problematic sections of the code so that we can have an idea of what is going on?
def signIn = Action { implicit request =>
var (userName, password) = extractingParametersFromRequest(request)
if (autheicate.loginService(userName, password, "signin")) {
val sessionId = autheicate.randomKeyGenerator()
val registered = autheicate.registerPrimarySessionId(userName, password, sessionId)
if (registered)
Ok("Legitamate User").withSession("sessionId" -> sessionId, "username" -> userName)
else
Status(500)("Internal Server Error -> Error in Ticket Creation")
} else {
Status(403)("Forbidden")
}
}
This code creates PLAY_SESSION
cookie as response cookie to sign in request where the cookie contains the sessionId
and username
.
def initial = Action { request =>
// Ok( Json.toJson(fileServer.listObjects()))
// println(request.session.data)
// println(request.cookies.get("PLAY_SESSION"))
request.session.get("username").map { user =>
Ok("Hello " + user).withNewSession
}.getOrElse {
Unauthorized("Oops, you are not connected")
}
}
The requests to the server following sign in request always results in 403
forbidden since the session doesn’t contain username
or sessionId
where as it has csrf token in it.
Hey @sethuram975351,
withNewSession
creates a completely new session, discarding all the previous data. Is that what you need?
No I wanted access data (username and session Id ) from the existing session. When i used request.session.get(“username”) I got NONE
Better if you can create a small reproducer so that we can all understand the problem. And also describe the flow to reproduce the 403 result.
have you checked whether
extractingParametersFromRequest(request)
is passing value in
userName
?