stackoom
  简体   繁体   中英

Play framework how do sessions and cookies work?

 原文  2013-01-31 14:13:20       java/ scala/ authentication/ cookies/ playframework-2.0

Question

How does play validate a cookie?

  • I noticed that after I restarted the server I was still logged in even though I don't presist any session data in the database.
  • I also noticed that I could set the date on the server to be larger that the exipry date of the cookie and still I was logged in.
  • I logged out (saved the cookie to a text file) and the browser lost the cookie. Then I recreated the cookie from the text file and I was logged in again.

The cookie looks like this:

PLAY_SESSION=e6443c88da7xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-userid%3A1 

// My logout code
def logout() = Action {
  Ok("").withNewSession
}

From the documentation
Discarding the whole session
There is special operation that discards the whole session: 

Ok("Bye").withNewSession

2 answers

solution1
 10  2013-01-31 15:02:10

You didn't specify how do you authenticate users, so I just guess, that you;re using simple sample which is... simple.

It uses user's id to identify the user, and check if signed session cookie wasn't manipulated, therefore if you'll recreate the cookie with proper signature it will be valid still.

You should create some area for session's keys on the server side ie. in DB or in memory cache (Which will be faster than DB). Its key should be randomly generated (and preferebly quite long) for each successful login action, and should also contain data for identifying user, expiration date etc. Next you should put this random sess_key to the Play's session instead email address of logged user or id of his row in DB, and after logout and/or expiration date it should be removed. In such case even if you'll loose the cookie after logout it will be impossible to login properly with non-esixting sess_key .

AFAIR standard memory cache will be purged at every restart of the application, to make sure that all sess_keys from DB will be removed as well you can use Global object and truncate the table in onStart(...) method.

solution2
 5  2013-01-31 14:30:32

I found the answer reading the documentation more carefully and combining different parts.

There is no technical timeout for the Session. It expires when the user closes the web browser. If you need a functional timeout for a specific application, just store a timestamp into the user Session and use it however your application needs (eg for a maximum session duration, maximum inactivity duration, etc.).

It's important to understand that Session and Flash data are not stored by the server but are added to each subsequent HTTP request, using the cookie mechanism. This means that the data size is very limited (up to 4 KB) and that you can only store string values.

So that was what i feared that if the cookie get lost anyone can log in to the server for all future.

What I have to do to secure this is to add a self-made timestamp authorization (save a timestamp in the cookie and validate sever side)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to work with Jpa in play framework? How to do routing in Play framework? How do Tomcat's Cookies work? How does updating work with Ebean and Play framework How to work with ajax in play framework 2.1.* How to list cookies in Play How do I set up Netbeans to work with Play Framework 2.0 easily Play framework 1.x on Tomcat - httpOnly cookies Scala Play Framework Discarding Cookies questions How do I store a cookie in Play Framework?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM