Reputation: 134
Play 2.3 cookie remains usable after expiration
I have a Play 2.3.7 application which I have configured the session.maxAge value. Authentication is done via a token in the session. If I log in, allow the maxAge duration to pass, and attempt to call an endpoint, I get a 401 as expected. However, if I copy the cookie from the browser while it is still valid, let it expire, and then manually add the cookie back to the browser's cookies, it appears that the cookie works again.
My questions are:
- Are the cookie expirations only enforced on the browser?
- If so, is it left to the developer to permanently expire cookies if desired?
Upvotes: 3
Views: 112
Answers (1)
Reputation: 8263
Short answers
- Yes
- Yes
In details
It looks like you did just simple authentification, so you store all session information in the cookies. Play only ensure that cookie is correctly signed. That's all. So if you will copy and past the same cookie then yes - it will work, and yes - it will work forever (until you change the secret key on the server side)
Even more
Please read @biesior answer to this question Play framework how do sessions and cookies work?
Upvotes: 1
Related Questions
- Why is it common to put CSRF prevention tokens in cookies?
- CSRF Double Submit Cookie is basically "not Secure"
- What is more secure concerning Cookies expiration time?
- Cookie not setting in Scala Play
- Single page application with HttpOnly cookie-based authentication and session management
- Play 2.3.7 WS Client
- How to do stateless (session-less) & cookie-less authentication?
- Store cookie even if the session is closed
- Better ways to implement more secure Play Scala framework session via cookie