Databases
StackOverflow2013
Postsdbo
POBetter ways to implement more secure Play Scala framework session via cookie
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POBetter ways to implement more secure Play Scala framework session via cookie
    text
    copied!<p>I really like the idea to keep session data on the users browser but don't like the fact that session cookies are not very secure in play framework. If someones steals the cookie, he/she could use it to permanently access the site since cookie signature is not expiring and cookie expiration doesn't help here because it doesn't stop from reusing the cookie if someone has stolen it. </p> <p>I've added time stamp to expire the session after 1hr and every 5min to update the time stamp if user is still using the site so the cookie signature is rolling and expiring. </p> <p>I am pretty new to scala and play framework so any suggestions or better ways to achieve the same would be much appreciated.</p> <pre><code>trait Secured { def withAuth(f: =&gt; String =&gt; Request[AnyContent] =&gt; Result) = { Security.Authenticated(username, onUnauthorized) { user =&gt; Action(request =&gt; { val sessionRolloverPeriod = 300 val sessionExpiryTime = 3600 val sessionCreationTime: Int = request.session("ts").toInt val currentTime = System.currentTimeMillis() / 1000L if(currentTime &lt;= (sessionCreationTime + sessionExpiryTime)) { if(currentTime &gt;= (sessionCreationTime + sessionRolloverPeriod)) { f(user)(request).withSession(request.session + ("ts" -&gt; (System.currentTimeMillis() / 1000L).toString)) } else { f(user)(request) } } else { Results.Redirect(routes.Auth.login()).withNewSession } } ) } } } </code></pre> <p>Cookies produced every 5min:</p> <pre><code>The cookies produced every 5min: Cookie:PS="a6bdf9df798c24a8836c2b2222ec1ea4a4251f301-username=admin&amp;ts=1381180064" Cookie:PS="D7edg7df709b54B1537c2b9862dc2eaff40001c90-username=admin&amp;ts=1381180380" </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload