How long will it be when a session expired

[chen changfeng]

Hi,

I know in cache I can set the expired time. But now I just want to
store user login info into session. And how long will it be when this
session time out? Is there a default value?

Thanks.

[Michael Boyd]

Sessions always time out when the user closes the browser.

[Mahmoud Sakr]

Do they?

How is that even possible? How would a server tell?

Sessions timeout sometime around 30 minutes. That should be configurable, somewhere, I presume.

[Andres Martinez Quijano]

In the application.conf file

# Session configuration
# ~~~~~~~~~~~~~~~~~~~~~~
# By default, session will be written to the transient PLAY_SESSION cookie.
# application.session.cookie=PLAY
application.session.maxAge=30mn

or

application.session.maxAge=1h

or whatever value you like

> --
> You received this message because you are subscribed to the Google Groups
> "play-framework" group.
> To post to this group, send email to play-fr...@googlegroups.com.
> To unsubscribe from this group, send email to
> play-framewor...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/play-framework?hl=en.
>

[Guillaume Bort]

Yes, and the default is never expire. The session is lost only when
the user close the browser.

[Lincoln Stoll]

The server doesn't need to tell - it sets a cookie with a session scope, and the browser will hang on to it. It looks like play stores all session data within the cookie, so the browser will remember this until it's closed unless an explicit expiry time is set on this cookie.

It sounds like you are thinking of how most servlet containers handle sessions by default.

Linc.

[monzonj]

Is there any way to tell on PLAY when a session has finished (because the user closes the browser or forced timeout). I think it is important to release resources, etc.

[virtualeyes]

Play 2 is stateless, there are no resources to release.

I actually set cookie expiration to 1 month, but have 3 minute cache that looks up logged in user's record to see if account is active, locked, or has more than 1 user logged in on the account (and then blow away the cookie accordingly).

Otherwise, why inconvenience valid users with logging in and out?

[Andrea Guarini]

@virtualeyes: can you please provide an example of how you made that 3 minutes cache mechanism to check if the user is still logged in?

[virtualeyes]

Andrea, you need to implement Action Composition; i.e. wrap your controller Action methods like Play does with their Authenticated trait.

Stripped down version of what I'm using would be something like:

trait Secured {
  def Authenticated[A](p: BodyParser[A])
    (f: Outcome[A] => SimpleResult)(implicit group: RoleGroup): Action[A] = {

    def verify(id: Int)(implicit r: Request[A]): SimpleResult = {
      Cache.orElse("roles."+id, 300){ repo.userrole.findAllByUser(id) }.filter{
        x=> x.active && x.roleGroup == group)
      }.map{ f(toOutcome(r, id)) }.getOrElse(toFail)
    }

    Action(p) { implicit r=>
      r.session.get("uid").map(verify(_.int)).getOrElse(onFail)
    }
  }
}

object MembersOnly extends Controller {
  def privatePlace = Authenticated { implicit r=>
    // if we got here account is active
    ...
  }
}

[Lam Lê]

It does not work in play 2.1.1

I have to do session timeout manually.

Vào 18:36:18 UTC+7 Thứ hai, ngày 14 tháng sáu năm 2010, Andres Martinez Quijano đã viết: