Session Authentication not working in Play when using Silhouette

I am using Silhouette security library. My Play server seem to send empty Session information in response. What am I doing wrong?

Following is the print on Play’s console just before sending response.

Session(Map(authenticator -> 1-jtwBvA+LsLKE2rnkT/nMH1aQF9xc1twhECrma9mj3NUhUdVDmh/4wxQ2MxDOjcxkvEMTi1k63Dg5ezl+9FzDE3miaM5DbOrhyqAyGu4+30mHHV3QdPKA3IQQx5UdL1Hu85fZRI4f3Ef+q6xAgboDps0uBob5ojzo5Oqy8FNsoexn7Wr9iRyTr5xrMrLvl9GNQa+rA3q8qvW84sJaSei2iydrP2OjUbnnzo+zgrHLB3Bn7KJxOcFH4h9CikZNk/FHbtDm4uxzcK3paK1CuuIWLE8yvcYdavJ+4ejV5IaJ8QesJQRFgBktD9L/A2bc03eaA8wm)))

But in the the browser window, I notice that the value is empty.

Set-Cookie: PLAY_SESSION=; Max-Age=-86400;

Note that my browser earlier already had a PLAY_SESSION cookie from previous test runs. However, I would expect that the client application (Angular) would override old cookies with new cookies. Am I correct?

Following is the code snippet which creates, initialised and embed session information

val AuthenticatorFuture: Future[SessionAuthenticator] = silhouette.env.authenticatorService.create(loginInfo) //create authenticator

                      AuthenticatorFuture.flatMap(authenticator => { //got the authenticator
                        val securityTokenFuture: Future[Session] = silhouette.env.authenticatorService.init(authenticator) //init authenticator
                        securityTokenFuture.flatMap(securityToken=> { 
                          println("adding security token: ",securityToken)
                          val result:Future[AuthenticatorResult] = silhouette.env.authenticatorService.embed(securityToken, Ok(Json.toJson(JsonResultSuccess("found user"))))
                          result

Following is the code snippet which creates, initialised and embed session information

val AuthenticatorFuture: Future[SessionAuthenticator] = silhouette.env.authenticatorService.create(loginInfo) //create authenticator

                  AuthenticatorFuture.flatMap(authenticator => { //got the authenticator
                    val securityTokenFuture: Future[Session] = silhouette.env.authenticatorService.init(authenticator) //init authenticator
                    securityTokenFuture.flatMap(securityToken=> { 
                      println("adding security token: ",securityToken)
                      val result:Future[AuthenticatorResult] = silhouette.env.authenticatorService.embed(securityToken, Ok(Json.toJson(JsonResultSuccess("found user"))))
                      result

The Environment is defined as

trait SessionEnv extends Env {
  type I = User 
  type A = SessionAuthenticator
}

Environment is passed to my controller as

silhouette: Silhouette[SessionEnv]

I created is at compile time as follows

val configSession =  SessionAuthenticatorSettings()
val sessionAuthenticatorService = new SessionAuthenticatorService(configSession,fingerprintGenerator,authenticatorEncoder,new DefaultSessionCookieBaker(),clock)
val sessionEnv = com.mohiva.play.silhouette.api.Environment[SessionEnv](userIdentityService,sessionAuthenticatorService,Seq(),EventBus())

I re-ran the scenario and it worked. However, the server did send an empty PLAY_SESSION cookie in 200 OK of the signin request. I notice that my signin request contained an old and explired PLAY_SESSION cookie. Is this expected behavior that when Silhoutte library sees expired session cookie, it sends an empty cookie in response so that the client discards the cookie? I have come to this conclusion because I notice that when I signout, the library sends the session cookie with empty value

Silhouette uses Play’s session API to store session data. This means that Silhouette doesn’t modify the cookie directly.

so this is Play’s behaviour, not Silhouette’s?

Yes, this is Play’s behavior. As said previously, we do not modify the cookie directly in the SessionAuthenticatorService.