Play framework weak secret key
Description
The Play Framework uses a secret key to cryptographically sign session cookies, ensuring their integrity and preventing tampering. This application is configured with a weak, default, or publicly known secret key. An attacker can use knowledge of this secret to forge valid session cookie signatures, bypassing the framework's built-in protection mechanisms.
Remediation
Generate a strong, cryptographically random secret key and update your application configuration immediately. The secret should be at least 64 characters long and contain random alphanumeric characters.
For Play Framework 2.x, update the application.conf file:
play.http.secret.key = "your-new-random-secret-key-at-least-64-characters-long"
For Play Framework 1.x, update the
application.conf file:application.secret = your-new-random-secret-key-at-least-64-characters-long
You can generate a secure random key using the Play Framework command:
playGenerateSecret or sbt playGenerateSecret. Ensure the secret key is stored securely, never committed to version control, and use environment variables or secure configuration management for production deployments. After changing the secret, all existing user sessions will be invalidated and users will need to re-authenticate.