I am planning to replace existing custom authentication with play-authenticate. The REST API returns a token back to the client after successful login and all the subsequent requests add that token as a query parameter.
Looking at the play-authenticate code, user details seem to be stored in the Play Session.
However, I am not sure if the client will use cookies at all. The old version compares the token to the stored value in order to authenticate each request. Obviously I can extend the PlayAuthenticate and override getUser etc methods. Is there a better way to achieve this?
