Session Authentication not working in Play when using Silhouette


#1

I am using Silhouette security library. My Play server seem to send empty Session information in response. What am I doing wrong?

Following is the print on Play’s console just before sending response.

Session(Map(authenticator -> 1-jtwBvA+LsLKE2rnkT/nMH1aQF9xc1twhECrma9mj3NUhUdVDmh/4wxQ2MxDOjcxkvEMTi1k63Dg5ezl+9FzDE3miaM5DbOrhyqAyGu4+30mHHV3QdPKA3IQQx5UdL1Hu85fZRI4f3Ef+q6xAgboDps0uBob5ojzo5Oqy8FNsoexn7Wr9iRyTr5xrMrLvl9GNQa+rA3q8qvW84sJaSei2iydrP2OjUbnnzo+zgrHLB3Bn7KJxOcFH4h9CikZNk/FHbtDm4uxzcK3paK1CuuIWLE8yvcYdavJ+4ejV5IaJ8QesJQRFgBktD9L/A2bc03eaA8wm)))

But in the the browser window, I notice that the value is empty.

Set-Cookie: PLAY_SESSION=; Max-Age=-86400;

Note that my browser earlier already had a PLAY_SESSION cookie from previous test runs. However, I would expect that the client application (Angular) would override old cookies with new cookies. Am I correct?

Following is the code snippet which creates, initialised and embed session information

val AuthenticatorFuture: Future[SessionAuthenticator] = silhouette.env.authenticatorService.create(loginInfo) //create authenticator

                      AuthenticatorFuture.flatMap(authenticator => { //got the authenticator
                        val securityTokenFuture: Future[Session] = silhouette.env.authenticatorService.init(authenticator) //init authenticator
                        securityTokenFuture.flatMap(securityToken=> { 
                          println("adding security token: ",securityToken)
                          val result:Future[AuthenticatorResult] = silhouette.env.authenticatorService.embed(securityToken, Ok(Json.toJson(JsonResultSuccess("found user"))))
                          result

Following is the code snippet which creates, initialised and embed session information

val AuthenticatorFuture: Future[SessionAuthenticator] = silhouette.env.authenticatorService.create(loginInfo) //create authenticator

                  AuthenticatorFuture.flatMap(authenticator => { //got the authenticator
                    val securityTokenFuture: Future[Session] = silhouette.env.authenticatorService.init(authenticator) //init authenticator
                    securityTokenFuture.flatMap(securityToken=> { 
                      println("adding security token: ",securityToken)
                      val result:Future[AuthenticatorResult] = silhouette.env.authenticatorService.embed(securityToken, Ok(Json.toJson(JsonResultSuccess("found user"))))
                      result

The Environment is defined as

trait SessionEnv extends Env {
  type I = User 
  type A = SessionAuthenticator
}

Environment is passed to my controller as

silhouette: Silhouette[SessionEnv]

I created is at compile time as follows

val configSession =  SessionAuthenticatorSettings()
val sessionAuthenticatorService = new SessionAuthenticatorService(configSession,fingerprintGenerator,authenticatorEncoder,new DefaultSessionCookieBaker(),clock)
val sessionEnv = com.mohiva.play.silhouette.api.Environment[SessionEnv](userIdentityService,sessionAuthenticatorService,Seq(),EventBus())

I re-ran the scenario and it worked. However, the server did send an empty PLAY_SESSION cookie in 200 OK of the signin request. I notice that my signin request contained an old and explired PLAY_SESSION cookie. Is this expected behavior that when Silhoutte library sees expired session cookie, it sends an empty cookie in response so that the client discards the cookie? I have come to this conclusion because I notice that when I signout, the library sends the session cookie with empty value


#2

Silhouette uses Play’s session API to store session data. This means that Silhouette doesn’t modify the cookie directly.


#3

so this is Play’s behaviour, not Silhouette’s?


#4

Yes, this is Play’s behavior. As said previously, we do not modify the cookie directly in the SessionAuthenticatorService.