4

Update1:

Could you give me a short example on how to manage cookies and sessions in play2? (remember me function)

Okay I think I understand the main concept behind the play authentication.

Zentasks uses sessions. I know that sessions are only stored on the server. And sessions in play2 are already signed. Cookies are not.

What if the users wants to be logged in even if he closes the browser?

I would need to use a cookie.

What should I do?

Do I create a cookie that creates a session?

for example

  • user has a valid cookie
  • get cookie val and create a new session

Or do I completely discard sessions and only use cookies instead. Because cookies are not signed automatically by play2 , I have to do it by myself, which I did.

response().setCookie("remember",Crypto.sign(rnd) + "-" + obj.getClass().getName() + "-" + rnd,12000);

(I know I didn't make it secure yet with the secured and http only flag)

I just don't want to invent a new and flawed system. I hope you can clear things up for me how to make authentication secure in play2.

Maik Klein
  • 15,548
  • 27
  • 101
  • 197
  • There's no place for "I'm sorries" ;) I edited your post. Now, explain please, what is that mean that 'user wants a cookie' ? – biesior Aug 07 '12 at 13:44
  • Why asking the user for technical implementation? Just make sure to create a working and responsive app! BTW sessions are always managed by cookies: http://stackoverflow.com/questions/6398715/difference-between-creating-a-session-and-a-cookie – adis Aug 07 '12 at 13:46
  • @biesior I edited my post. (user wants a cookie ?) -> (What if the users wants to be logged in even if he closes the browser?) – Maik Klein Aug 07 '12 at 13:48

2 Answers2

3

The session scope in Play is nothing more than signed (secure) cookie (and they are stored on client's, not server's side!)

From above docs:

It’s important to understand that Session and Flash data are not stored in the server but are added to each subsequent HTTP Request, using Cookies.

so you can keep the logged in state by checking if the session scope's key exists and matches any of your user.

De facto session scope doesn't expire automatically, so your user will be logged in until he'll click on the logout action link (in which you need just to destroy the session's key) (only in some browsers)

biesior
  • 55,576
  • 10
  • 125
  • 182
  • okay thanks, but if I close the browser my session is gone. How can I prevent this? – Maik Klein Aug 07 '12 at 14:10
  • @MaikKlein : did you check it? I just was testing, the session scope is available even after browser's closing and purging the whole memory. So you should rather worry, how to destroy it if needed ;) – biesior Aug 07 '12 at 14:25
  • really? I double checked it. I always lose the "cookie". I tried IE and chrome. I used the command -> play run – Maik Klein Aug 07 '12 at 14:31
  • @MaikKlein : Really, really, check tjis simple test: https://github.com/biesior/test-play-session – biesior Aug 07 '12 at 14:53
  • Still gone. But I am currently on my linux laptop. Out of curiosity, I'll check your app on my pc. – Maik Klein Aug 07 '12 at 15:16
  • Nope it's always gone after I close my browser. I am using play 2.0.2 updating to 2.0.3 now – Maik Klein Aug 07 '12 at 15:29
  • Now I can see, that's dependent on the browser in OS X. will check this topic yet and will let you know if I will find some better conclusion – biesior Aug 07 '12 at 15:36
  • I agree with @biesior and your cookie should persist even if you close your browser. – ndeverge Aug 07 '12 at 18:41
  • Sorry @nico_ekito, apparently I made a mistake, documentation writes, that expiration time for Session scope is Session - which means, that after browser's closing it *should* be destroyed. Unfortunately some browser on my Mac destroys it, other keeps the session even after app and browser restart. Mischmasch. I have no time to find the way how to make sure that session will be kept all destroyed. Busy time, I'll beck to this topic in next few days, I hope – biesior Aug 07 '12 at 19:00
  • Atm I am using a cookie to generate a valid session. But it doesn't feel right. :) – Maik Klein Aug 07 '12 at 20:26
  • @MaikKlein I'm just siting and reading: https://groups.google.com/forum/#!msg/play-framework/JkXNz1mbvZE/9L_yOwfPmTcJ - Guillaume wrote there, that's the correct way :) – biesior Aug 07 '12 at 20:30
  • @biesior recent versions of chrome are keeping session cookies alive between sessions :( http://code.google.com/p/chromium/issues/detail?id=128513 – Adam Rabung Aug 07 '12 at 21:51
  • @biesor He says " For a "Remember Me", use your own cookie, not the session one. " Okay this means that I should only use cookies and no sessions. Damn I already got this yesterday now I have cookies + sessions. – Maik Klein Aug 07 '12 at 22:19
  • Could you give me a short example on how to manage cookies and sessions in play2? (remember me function) – Maik Klein Sep 05 '12 at 15:57
0

This helped me a lot

http://bazaar.launchpad.net/~opensource21/permsec/trunk/view/head:/psec/app

Maik Klein
  • 15,548
  • 27
  • 101
  • 197