How is the session id maintained in Play 2.0

[Maxime Lévesque]

Hi, I'd like to know the approached used by play in order to be secure and stateless.

I suppose that it has to be done by applying proper cryptography techniques

to a session Id cookie. Is there some doc on this, or perhaps some code ?

if the strategy differs in play1 or play2, I'm more interested in play 2.0

Thanks

[Guillaume Bort]

The session content is not kept on server side, and is just serialized
to a Session Cookie. This cookie is signed with the secret application
key using HMAC-SHA1

2012/2/14 Maxime Lévesque <maxime....@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "play-framework" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/play-framework/-/XJm_iHhJ0SIJ.
> To post to this group, send email to play-fr...@googlegroups.com.
> To unsubscribe from this group, send email to
> play-framewor...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/play-framework?hl=en.

--
Guillaume Bort

[Meglio]

From play2 wiki (https://github.com/playframework/Play20/wiki/ScalaSessionFlash)

There is no technical timeout for the Session. It expires when the user closes the web browser. 

How can I change session expiration time?

I want to keep user signed in for many days, but if I'll lose cookies once browser closed,

how can I implement authorization for something like 2 weeks or so?

[Tom Bocklisch]

You can't implement long-living sessions without cookies. Without
them you are not able to verify clients. Therefore you are lost if the
client deletes all his cookies when closing the browser.

The current session cookie does not set any expiration, so it defaults
to "session". As far as I know there is currently no support for
changing this expiration via settings.