Summary After upgrading play-pac4j from 12.0.0-PLAY3.0 to 12.0.1-PLAY3.0 (and higher), responses for pac4j-secured routes reissue cookies on every request: Session cookie is re-set each time with updated nbf/iat. CSRF cookie is also re-set each time

[kamonkaushals sd]

Summary

After upgrading play-pac4j from 12.0.0-PLAY3.0 to 12.0.1-PLAY3.0 (and higher), responses for pac4j-secured routes reissue cookies on every request:

Session cookie  is re-set each time with updated nbf/iat.

CSRF cookie is also re-set each time.

• This did not occur on 12.0.0-PLAY3.0. It now causes increased Set-Cookie traffic and unnecessary churn.

 

Scope

• Behavior occurs only on routes guarded by pac4j (@Secure). Non-secured routes do not reissue cookies.

 

Affected versions

• Good: 12.0.0-PLAY3.0

• Bad: 12.0.1-PLAY3.0 and later

 

Environment

• Play Framework 3.0.x (Java)

• Scala 2.13.16

• pac4j modules: core/http/saml/jwt 6.2.2

 

Dependencies (excerpt)

Dependencies.scala

        "org.pac4j" %% "play-pac4j" % "12.0.0-PLAY3.0",

        "org.pac4j" % "pac4j-core" % "6.2.2",

        "org.pac4j" % "pac4j-http" % "6.2.2",

        "org.pac4j" % "pac4j-saml" % "6.2.2",

    "org.pac4j" % "pac4j-jwt" % "6.2.2",

 

(Reproduces when the play-pac4j line is bumped to 12.0.1-PLAY3.0+.)

[Jérôme LELEU]

Hi,

Sorry for my late reply.

It wasn't easy to investigate this problem. It mainly comes from: https://github.com/pac4j/play-pac4j/pull/671

The session cookie recreation is a real problem and has been fixed.

The pac4jCsrfToken is actually renewed because of the rotateTokens of DefaultCsrfTokenGenerator and it is not a problem, but a mandatory fix.

Can you test with version 13.0.1-PLAY3.0-SNAPSHOT?

Thanks.

Best regards,

Jérôme