I think you could remove the User class/object pair from the app and replace them with:
object LoginState {
object primaryKey extends SessionVar[Box[Long]](Empty) // the primary key of the currently logged in user... change to Box[String] if the PK is a String
object currentUser extends RequestVar[Box[YourUserClass]](primaryKey.is.flatMap(key => lookupUser(key)))
def logUserIn(u: YourUserClass) {
currentUser.remove()
primaryKey.set(Full(u.getPrimaryKey))
}
def logUserOut() {
currentUser.remove()
primaryKey.remove()
S.request.foreach(_.request.getSession.invalidate)
}
def loggedIn_? = primaryKey.is.isDefined