Invalidation of cookie when cookie signature does not match cookie content

[kheraud]

Hello,

I am using play 2.4 and I am not sure to understand this part in the documentation about cookies  : "Of course, cookie values are signed with a secret key so the client can’t modify the cookie data (or it will be invalidated).". When I change manually my cookie so the content of cookie does not match the signed part (or if I change the signed part so it does not match the content) :

1) The cookie is not taken into account (OK this is the expected behaviour)

2) There is NO HTTP Set-Cookie in the response which could clear the wrong cookie. So the user keeps its wrong signed cookie (NOK I thought "it will be invalidated")

Any hint about that ?

Best regards,

Karim

[kheraud]

In addition there is no log / alert / Warning about this wrong signature (silent fail)

Karim

[Will Sargent]

In 2.5.x, there's a CookieSigner that you can override with custom behavior with logging on a failed validation of signed cookie.  

As for sending a Set-Cookie, that's one possible option on the spectrum of things that could happen when a session cookie doesn't match, but there's also others -- account lockout, redirection, etc -- so hardcoding that behavior would be making assumptions about the use case.

Will.

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/58d9ec84-2f4b-465f-a5ba-61cab2f8b9ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.