5

I'm working on my first website with the Play! framework, and at one point I'm calling this method when the user logs in:

static void connect(User user){
    session.put("userid", user.id);
}

Simply storing the userid in a session, and I can check if it's set on each request, works fine. Problem is, once the browser is closed the cookie is lost, and the user needs to login again. I want to create a "remember me" option, and it seems that the only way to do that is create a cookie and send it with the respons, like this:

response.setCookie("user", userdata, "14d");

So I'm wondering, what's the point in creating a session, when it does the exact same thing? (But does not give me any control over the cookie time). And another thing I havn't found yet, is how to read the cookie from the request?

(And I'm aware of the fact that cookies created with setCookie are not encrypted and I need to call Crypto.sign())

  • comment on some of the answers you got, claiming that sessions are stored at the server: Sessions in PHP and other frameworks are indeed stored at the server, but that's not the case in the Play Framework (this question is about Play). Quoting the Play doc: "It’s important to understand that Session and Flash data are not stored by the server but are added to each subsequent HTTP request, using the cookie mechanism.". https://www.playframework.com/documentation/2.5.x/ScalaSessionFlash – David Portabella Jul 05 '16 at 07:42

5 Answers5

3

1) A Session in Play! is always maintained via cookie (i.e in client side), this is attributed to 'Share nothing' approach.

2) If you use Secure module (or you can take a look at the code and follow if you are writing your own), the 'authenticate()' method takes the parameter 'remember' and set the session for 30 days (response.setCookie("rememberme", Crypto.sign(username) + "-" + username, "30d");)

ie. if user doesn't choose to be 'remembered', their session last only until the browser is closed.

3) The real difference is, as you mentioned, session.put() doesn't allow to set session time out. If you want to extend the session then set it on the cookie.

4) If you want additional authentication while user performing CRUD, (even if user choose to be 'remembered' or their session got extended explicitly by you) its better to set the username/id to cache (rather than setting another identifier to session again) and clear it off when user logout. This will scale well if you choose to use a distributed cache like memcache.

5) To read from cookie, request.cookies.get("name") comes handy.

sojin
  • 4,527
  • 2
  • 37
  • 40
  • I don't want to set the session of the cookie. I want to delete it explicitly. How can I do it? – James Jan 19 '12 at 04:46
1

There are two ways to store state in web apps - client side and server side.

On Server-side either you can use Session or Application objects. On Client-side you can use View State, Cookies, hidden fields, etc.

Session has a timeout duration after which it expires. When ever you access a web application a session is created for you which lasts for a duration. Hence it is per user thing. Even if you increase the timeout duration, it still expires if you close the browser. Application object is shared between all users.

Cookies are a better way to store such information which needs to be remembered for a longer duration e.g. a day or more. You would have noticed that google allows you to stay logged in for days. That is because they use cookies for state management and not sessions.

Hasan Fahim
  • 3,875
  • 1
  • 30
  • 51
0

You should store the user id in cookie in exactly the same point where you did with session attribute. Use HttpServletRequest.getCookies() for reading cookie. This method returns array of cookies, so you have to iterate over the array to identify relevant cookie.

To change cookie, just override it.

AlexR
  • 114,158
  • 16
  • 130
  • 208
0

The session lets you tie server-side data to the specific browser session: under the hood a cookie is automatically created that the server uses to look up the server-side data associated with a specific browser.

Control over the session cookie expiry is typically done somewhere in your framework's configuration (or sometimes in the web.xml file used by the app server). You can read the cookie from the HttpServletRequest's getCookies method.

EDIT: this is the getCookies documentation, and for the Play! framework see http://groups.google.com/group/play-framework/msg/6e40b07ff9b49a8a for an example of persistent login and cookie retrieval.

Femi
  • 64,273
  • 8
  • 118
  • 148
  • So In my case, I'm better off just using a cookie, instead of a session? –  Jun 18 '11 at 21:17
  • Sessions are generally useful if you have some (reasonable) amount of data you want to make accessible to your server side code on a regular basis but not share with the client (an example would be permissions information that you need to verify each call but you don't want to hit the database). Some frameworks let you do crypted cookies and have the browser send the info with each request, but there are size limitations on that. If you don't need that (or are trying to do a shared-nothing setup for load balancing purposes) then yes, you should just use a cookie. – Femi Jun 18 '11 at 22:27
0

Basically a session is only viable for the period of time in which a user is interacting with your application + the session timeout that you specify. The usability of cookies is to store relevant information to the user so that, when they come back to the website again, you may identify them once more.

For instance, if you have both sensitive and insensitive information regarding a user, you could make your application more friendly by determining who they are via a cookie and loading all of the insensitive information. Once they authenticate themselves then you can load the sensitive information as well.

MSDN has some great reference material as to how to work with cookies at http://msdn.microsoft.com/en-us/library/ms178194.aspx

MoarCodePlz
  • 5,086
  • 2
  • 25
  • 31