Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Play framework how do sessions and cookies work?

How does play validate a cookie?

  • I noticed that after I restarted the server I was still logged in even though I don't presist any session data in the database.
  • I also noticed that I could set the date on the server to be larger that the exipry date of the cookie and still I was logged in.
  • I logged out (saved the cookie to a text file) and the browser lost the cookie. Then I recreated the cookie from the text file and I was logged in again.

The cookie looks like this:

PLAY_SESSION=e6443c88da7xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-userid%3A1

// My logout code
def logout() = Action {
  Ok("").withNewSession
}

From the documentation
Discarding the whole session
There is special operation that discards the whole session:

Ok("Bye").withNewSession
like image 869
Farmor Avatar asked Jan 31 '13 14:01

Farmor


Video Answer


2 Answers

You didn't specify how do you authenticate users, so I just guess, that you;re using simple sample which is... simple.

It uses user's id to identify the user, and check if signed session cookie wasn't manipulated, therefore if you'll recreate the cookie with proper signature it will be valid still.

You should create some area for session's keys on the server side ie. in DB or in memory cache (Which will be faster than DB). Its key should be randomly generated (and preferebly quite long) for each successful login action, and should also contain data for identifying user, expiration date etc. Next you should put this random sess_key to the Play's session instead email address of logged user or id of his row in DB, and after logout and/or expiration date it should be removed. In such case even if you'll loose the cookie after logout it will be impossible to login properly with non-esixting sess_key.

AFAIR standard memory cache will be purged at every restart of the application, to make sure that all sess_keys from DB will be removed as well you can use Global object and truncate the table in onStart(...) method.

like image 95
biesior Avatar answered Sep 18 '22 09:09

biesior


I found the answer reading the documentation more carefully and combining different parts.

There is no technical timeout for the Session. It expires when the user closes the web browser. If you need a functional timeout for a specific application, just store a timestamp into the user Session and use it however your application needs (e.g. for a maximum session duration, maximum inactivity duration, etc.).


It’s important to understand that Session and Flash data are not stored by the server but are added to each subsequent HTTP request, using the cookie mechanism. This means that the data size is very limited (up to 4 KB) and that you can only store string values.


So that was what i feared that if the cookie get lost anyone can log in to the server for all future.

What I have to do to secure this is to add a self-made timestamp authorization (save a timestamp in the cookie and validate sever side)

like image 29
Farmor Avatar answered Sep 21 '22 09:09

Farmor