Scala or not, JSON or not, XHR or not the mechanism is still the same. You send login and password to the server (salt-hash the password on the client-side to make it safer), server authenticates it (checks if login and password match the one in db), then it creates a session for the user (in DB or in memory – depending on your needs) and sends the session ID to the user as a cookie (AJAX requests/responses should work correctly with cookies).

Now on every request you check for the session cookie and verify if it points to the valid user (i.e. if it points to anything). Logout is as simple as deleting the session entry with given ID. The ID should be created in such a way that first: it is long (to minimize threat of session hijacking) and second: it contains the date encoded (so you can clean expired sessions).

This is so called Form-based Authentication.

// EDIT

Let me answer the questions in comments. How does session work?

Server creates session. Session is nothing else then table in DB with 2 columns: ID and Value (here you will hold session data encoded in JSON and compressed if necessary like for example things you want to buy from eShop). When client is successfully authenticated server send the session ID to the user via cookies. So server has to add the following header to the response:

Set-Cookie: session=ID32445235423tdwfnmm; Expires=Wed, 09 Jun 2012 10:18:14 GMT

Now the browser understands this header and sets the cookie for client. From this point whenever you make a request the browser automatically adds cookies to the request, so every request from now on will have the following header

Cookie: session=ID32445235423tdwfnmm; other_cookie:other_value;

unless the date is after Wed, 09 Jun 2012 10:18:14 GMT. If this is the case then our session cookie will be omitted (note that this is not the same as destroying session on the server side which you have to handle manually).

Now you have to decode the Cookie header on the server side and retrieve the ID. Using some framework is a great idea at this point, because it is a bad practice to write decoding code in every request. You should use so called middleware here. Now this middleware retrieves the ID, checks the DB for session and stores the result (i.e. user is authenticated or not) in request object to be used later (i.e. in the final request handler).

So as you can see you don’t use JavaScript at all.

Also you set the cookie only on login request (although you can set it on every request to minify session hijacking problem – but that’s even more complicated). It is browser’s job to store the ID. On server side you only check if the Cookie header contains session key.