Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Play! framework: using session for authentication

so I'm using Play! framework for a website project.
I'm using session to determine if the user has logged in:

session("connected", user.getId().toString());

then, I can identify who's the user when I want to easily.

I got two questions:

  1. is this the best-practice?
  2. are there vulnerabilities in my simple login system, and how to abolish them?
like image 808
socksocket Avatar asked Aug 22 '12 14:08

socksocket


People also ask

Is Play framework asynchronous?

Internally, Play Framework is asynchronous from the bottom up. Play handles every request in an asynchronous, non-blocking way. The default configuration is tuned for asynchronous controllers.

Why play framework is used?

Play Framework makes it easy to build web applications with Java & Scala. Play is based on a lightweight, stateless, web-friendly architecture. Built on Akka, Play provides predictable and minimal resource consumption (CPU, memory, threads) for highly-scalable applications.

What is activator in play framework?

The activator command can be used to create a new Play application. Activator allows you to select a template that your new application should be based off. For vanilla Play projects, the names of these templates are play-scala for Scala based Play applications, and play-java for Java based Play applications.

What is the default session cookie name set by the Play framework?

The default name for the cookie is PLAY_SESSION . This can be changed by configuring the key session. cookieName in application. conf.”


Video Answer


1 Answers

It's simple and secure, as session scope's cookies are signed with a secret key. If there is no need for storing large amount of data for each session it should be OK.

Take a look for existing solutions (ie. zentasks sample).

Edit:

On the other hand you can consider using Play Authenticate, I've added session handling to sample in my fork (branch 2.0.4_session) in samples/java/play-authenticate-usage, it's just 3 commits, so it's quite easy to merge it to the existing play-authenticate-usage implementation.

like image 72
biesior Avatar answered Nov 07 '22 14:11

biesior