Home/ Questions/Q 7734687
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T07:18:46+00:00

A lot of web frameworks have a standard setup for generating forms with auth

  • 0

A lot of web frameworks have a standard setup for generating forms with auth tokens.

Do I have to create such measures manually, or does Play come with a build in means of prevening CSRF?

The documentation on the Play website doesn’t seem to address this.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I use the play2-authenticitytoken module:

    The authenticity token is a way around one of the most serious internet security threats: CRSF attacks. It ensures that the client submitting a form is the one who received the page (and not a hacker who stole your session data).

    How it works:

    In a nutshell:

    1. on every form post, we add a hidden parameter containing a uuid
    2. the uuid is signed and its signature is stored in the session (which translated into a cookie)

    When the user submits the form, we get: the uuid, the signature and the other form inputs.

    1. We sign the incoming uuid again
    2. Validation passes if the signatures match (session.sign=uuid.sign)

    Should an attacker inject a different id, he will never figure how to generate the correct signature.

    • 0