I’m working on my first website with the Play! framework, and at one point I’m calling this method when the user logs in:
static void connect(User user){
session.put("userid", user.id);
}
Simply storing the userid in a session, and I can check if it’s set on each request, works fine. Problem is, once the browser is closed the cookie is lost, and the user needs to login again. I want to create a “remember me” option, and it seems that the only way to do that is create a cookie and send it with the respons, like this:
response.setCookie("user", userdata, "14d");
So I’m wondering, what’s the point in creating a session, when it does the exact same thing? (But does not give me any control over the cookie time). And another thing I havn’t found yet, is how to read the cookie from the request?
(And I’m aware of the fact that cookies created with setCookie are not encrypted and I need to call Crypto.sign())
1) A Session in Play! is always maintained via cookie (i.e in client side), this is attributed to ‘Share nothing’ approach.
2) If you use Secure module (or you can take a look at the code and follow if you are writing your own), the ‘authenticate()’ method takes the parameter ‘remember’ and set the session for 30 days (
response.setCookie("rememberme", Crypto.sign(username) + "-" + username, "30d");)ie. if user doesn’t choose to be ‘remembered’, their session last only until the browser is closed.
3) The real difference is, as you mentioned, session.put() doesn’t allow to set session time out. If you want to extend the session then set it on the cookie.
4) If you want additional authentication while user performing CRUD, (even if user choose to be ‘remembered’ or their session got extended explicitly by you) its better to set the username/id to cache (rather than setting another identifier to session again) and clear it off when user logout. This will scale well if you choose to use a distributed cache like memcache.
5) To read from cookie,
request.cookies.get("name")comes handy.