Silhouette 5.0 with Play 2.6.0-RC2 - missing authenticator cookie


Hi, I am trying play 2.6.0-RC2 with silhouette 5.0 snapshot version and facing problem with authenticator cookie.

After successful login, the returned response don’t have the ‘authenticator’ cookie. For example, for google social provider based authenticator, the controller is successfully able to embed (silhouette.env.authenticatorService.embed) the cookie in the result.newCookies (I have been successfully able to print the result before returning from the controller), but somehow cookie disappears after that.

Any ideas on what may be wrong. Is this something to do with cookie related changes in play 2.6.0?

Code is more or less similar to play-silhouette-seed project and I have similar code running fine with play 2.5.x and silhouette 4.0.


I noticed the exact same thing. Been pulling my hair out assuming I’m doing something wrong. I too have seen the cookie in the result but fail to see it manifest in the browser. It looks like maybe one of the Result copies fails to copy the cookie over as by the time the result cookies get “baked” newCookie does not exist in the Result instance being baked. One thing I noticed that changed in 2.6 is that security filters come enabled by default, which seems to add Results.withHeaders call. Maybe related?

FWIW when I add a CsrfStateItemHandler into the mix, it’s cookie does appear.


I linked against local build of latest play-silhouette (using sbt publish-local) and it is working fine against that.


Any ideas what changed that fixed it? Local publishing isnt an option for me and I don’t see any changes that should have an effect that aren’t in the latest snapshot build.

UPDATE: I was able to get things working with the latest SNAPSHOT build by disabling all security filters:


As mentioned above, 2.6 changes some of the security filter default behavior. In particular it looks like Silhouette does not play nice with the AllowedHosts filter ATM as it overwrites the outgoing cookies with its withHeaders invocation. I created this bug report to track the problem.


I had a relook and I have one changed left from my debugging in my local build.

— a/silhouette/app/com/mohiva/play/silhouette/api/services/AuthenticatorService.scala
+++ b/silhouette/app/com/mohiva/play/silhouette/api/services/AuthenticatorService.scala
@@ -59,9 +59,9 @@ class AuthenticatorResult(result: Result)
override def copy(
header: ResponseHeader,
body: HttpEntity,

  • newSession: Option[Session] = None,
  • newFlash: Option[Flash] = None,
  • newCookies: Seq[Cookie] = Seq.empty
  • newSession: Option[Session],
  • newFlash: Option[Flash],
  • newCookies: Seq[Cookie]
    ) = {
    AuthenticatorResult(super.copy(header, body, newSession, newFlash, newCookies))

I have following filters enabled:

and I have added my domain name in play.filters.hosts.allowed


@tr So does it mean that it works for you with the AllowedHostsFilter enabled?


Yes, it was working with AllowedHostsFilter enabled. I have linked against the local build of play-silhouette having the above given diff.


I’ve published a new version based on Play 2.6-RC2. Could you please test with this version.


Just saw this message today and tried against latest 5.0.0-snapshot and it is not working. I had to apply the above given diff and do a local build to make it work.


Could you please create a pull request?


Done along with explanation of why it was creating problem in comment -


I’ve published a new snapshot with the fix. Please could you test it both?


Thanks, with latest snapshot it is working fine for me.