I just wrote this long response on a closed pull request on github. Figured I would repost it here to generate more discussion.
-------------
The new SecureSocial authenticator cookies improve security, but are NOT stateless. This is an admitted downside of the new authentication scheme.
I'm the one who advocated for changing the cookies to the new system. Losing the statelessness isn't something which I really thought about at first. Now it is more clear to me that there is a tradeoff between security and statelessness when it comes to authentication.
1) If we use play's stateless authentication (a signed cookie with the user and expiration date embedded in the cookie in plaintext), then it is impossible to prevent cookie replay attacks, it is impossible to detect when a cookie is compromised, and it is impossible to expire cookies when the user logs out or changes their password. But it's fast, because it is stateless.
2) If we use the new authenticator cookie, then we need to do a Cache or DB lookup to verify every request. This is not really ideal, for the scaling and performance reasons mentioned by @adaptorel.
I think the best of both worlds would be the following: There should be a stateless, non-persistent, play-signed "session" cookie used for authenticating each individual request. This cookie should be similar to the old securesocial cookie, with a short expiration time (10 minutes? 60 minutes? whatever.) Then there should be a 2nd cookie which is the "login" cookie. The login cookie is like the new securesocial cookies. It uses a randomly generated UUID which needs to be checked against the Cache or the DB. When the user signs in, the login cookie gets set. If the user connects, and has a login cookie, but not a session cookie (or it expired), then we check the login cookie against the DB, and issue a new session cookie.
That way, most requests get authenticated statelessly using the session cookie, and so sites scale well horizontally. But we still get most of the benefits of using login cookies, namely that sessions can be expired by the user or by the server. The stateful operation (checking the login cookie) only happens once every X minutes when the session cookie expires. This seems like a good tradeoff in security/statelessness.
Thoughts?
it is impossible to prevent cookie replay attacks
it is impossible to detect when a cookie is compromised
and it is impossible to expire cookies when the user logs out
or changes their password