Social state


To configure the CsrfStateItemHandler you must use the CsrfStateSettings class. This class has the following form:

case class CsrfStateSettings(
  cookieName: String = "CsrfState",
  cookiePath: String = "/",
  cookieDomain: Option[String] = None,
  secureCookie: Boolean = true,
  httpOnlyCookie: Boolean = true,
  expirationTime: FiniteDuration = 5 minutes)
cookieNameThe cookie name
cookiePathThe cookie path
cookieDomainThe cookie domain
secureCookieWhether this cookie is secured, sent only for HTTPS requests

This should be disabled for testing on localhost without SSL, otherwise cookie couldn't be set
httpOnlyCookieWhether this cookie is HTTP only, i.e. not accessible from client-side JavaScript code
expirationTimeState expiration. Defaults to 5 minutes which provides sufficient time to log in, but not too much. This is a balance between convenience and security


oauth2StateProvider.cookieName = "CsrfState"
oauth2StateProvider.cookiePath = "/"
oauth2StateProvider.secureCookie = false
oauth2StateProvider.httpOnlyCookie = true
oauth2StateProvider.expirationTime = 5 minutes