Background: I've implemented "post-login redirection" for the application. AKA If a user is not logged in, but tries to open any arbitrary page, they will be redirected to that page upon logging in (as opposed to our default dashboard).
Things seem to be working fine at first - login works great, the user's data is added to the session, and the user is redirected to the target URI. However, upon loading the target URI, Play is also clearing the session cookie, and the user is logged out.
This occurs no matter what the final endpoint is. Curiously enough, if I explicitly add the session to the endpoint's response then there is no issue. For example, changing:
Ok(views.html.dashboard.profile(data))
To:
Ok(views.html.dashboard.profile(data)).withSession(session)
Although this works around the problem, it isn't a suitable solution. I don't want to explicitly add the session to every endpoint in the application - I would expect the .withSession(session)
behavior to be what happens by default.
What could be causing the session cookie to be cleared like this?
After some experimentation, we've determined the issue is most likely some bug in the version of Play we had been using (v2.1.1). We tested an upgrade to v2.1.3 and there no longer appears to be any issue. Didn't notice anything in the release notes that might explain what was going on, unfortunately.