Play framework not generating CSRF Token in version 2.6.12

55 views
Skip to first unread message

ma...@knoldus.com

unread,
Mar 13, 2018, 9:36:33 AM3/13/18
to Play Framework
I am using Play 2.6.12.

I am getting 403 response from Play. The issue seem to be related to CSRF. However, I believe Play is not generating CSRF Token but I do not understand why it would happen as CSRF support seem to be trivial in Play.

When my application retrieves index.html and other js and css files from the server, I do not see an csrf token in headers or cookies. All I see is PLAY_SESSION cookie.

My UI is an Angular application being served from play. From the documents, I read about csrf token that


This token gets placed either in the query string or body of every form submitted, and also gets placed in the user’s session


The documentation also says that

To ensure that a CSRF token is available to be rendered in forms, and sent back to the client, the global filter will generate a new token for allGETrequests that accept HTML, if a token isn’t already available in the incoming request. - But I don't see this token in response to my initial GET request.


As my UI (and thus form) is not a play UI, I cannot use play's annotation for forms to put csrf token in the form.


I would like that when the homepage is delivered, play sends the csrf token which Angular application can store and use later.


Following are the headers I see on browser's developer console.

Response headers

Content-Length      1421
Content-Type        text/html; charset=UTF-8
Date        Sun, 11 Mar 2018 21:23:52 GMT
Referrer-Policy     origin-when-cross-origin, strict-origin-when-cross-origin
X-Content-Type-Options      nosniff
X-Frame-Options     DENY
X-Permitted-Cross-Domain-Policies       master-only
X-XSS-Protection        1; mode=block

Request headers (600 B) 

Accept      text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
    Accept-Encoding     gzip, deflate
    Accept-Language     en-US,en;q=0.5
    Connection      keep-alive
    Cookie      PLAY_SESSION=eyJhbGciOiJIUzI1N…AR2uh5KwKBhqKxQQT1wWPWC2yPyCM
    Host        localhost:9000
    Upgrade-Insecure-Requests       1
    User-Agent      Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/58.0


The Action in play which servers the homepage is

def index =
    Action { implicit request =>
      val Token(name, value) = CSRF.getToken.get
      println(s"Token name ${name}, value ${value}")
      Ok(views.html.index("Your new application is ready."))
    }

I can see (print) the token name and value but I am not sure if it is being sent in the Ok response.


Token name csrfToken, value 589f6f0e190398d46f64a4ede66200994a9453ad-1520807763764-0cb3fe82ff64c2abb75a23a6


Reply all
Reply to author
Forward
0 new messages