Reputation: 559
Play Framework version 2.6/2.7 set PLAY_SESSION cookie to SameSite=None; Secure
There's many posts confirming that play supports the SameSite=None; Secure requirement. However when configuring the session through config like this:
...
play.http.session.httpOnly=true
play.http.session.sameSite="None"
play.http.session.secure=true
...
Chrome tells me that None is not getting set. See below:
To validate I'm on the right back-ported version(2.6.24) I implemented a filter to set other cookies I have control over and when I construct a cookie manually like this:
Cookie(
key,
value,
secure = true,
sameSite = Some(Cookie.SameSite.None)
)
Chrome will show that SameSite=None; Secure does get set on those cookies. Which makes me think there's something with the config implementation that is not understanding None the play docs indicate you can only pass Strict or Lax as well but I was hoping that was just a documentation error.
EDIT: Confirmed cbley answer 2.6.25 works see below screen shot
Upvotes: 0
Views: 1071
Answers (1)
Related Questions
- Play framework: play.api.mvc.DefaultJWTCookieDataCodec decode: could not decode JWT: null
- Play framework security issue regarding cookies and sessions
- Play 2.3 cookie remains usable after expiration
- Play with Play cookie session
- Unable to remove cookie in play framework 1.2.4
- Sticky Cookies in Scala
- Play: Session Cookie not set. Cannot read Cookie using Javascript
- Play Framework withCookies but no cookies in client document
- Play framework WS set cookie
- How to set a cookie with Play 2.1/Scala?