CSRF in Play 2.2.1 Scala always failing when csrf.sign.tokens is enabled

Question

Just upgrading to 2.2.1 and I'm a bit confused about what's going on with the CSRF handling. With the default config I always get "Missing CSRF token" errors, even though there's clearly a csrfToken in session data.

With a bit more poking around I found I could prevent this by setting csrf.sign.tokens to false in the settings (default is true). For some reason the lines:

token.flatMap(Crypto.extractSignedToken)
    .map(token => Token(Crypto.signToken(token)))

in CSRF.getToken is giving me a None token. Does anyone know what would make CSRF fail only when token signing is enabled. I have not (knowingly) changed any of the CSRF-related config defaults. My suspicion is that somehow the token is in the wrong format and Crypto.extractSignedToken is failing, but I can't figure out why this would be the case.

CSRF protection for my application is done using the global WithFilters(CSRFFilter()) method.

Answer 1

This appears to be because CSRF tokens in Play 2.1.x aren't compatible with those in 2.2 or 2.3. If you have a cookie from a 2.1.x application and then upgrade the application to 2.2 you can see this issue when clients make a request with the old cookie value. The easiest solution I found was to rename the token in application.conf as follows:

csrf.token.name=csrfToken1

Bit of a nasty hack, but it works. I thought about moving the token to it's own cookie (using the csrf.cookie.name property but that still resulted in a "Missing CSRF Token" error