forked from t2v/play2-auth
-
Notifications
You must be signed in to change notification settings - Fork 1
Notes: Pure Stateless vs Stateful implementation
gakuzzzz edited this page Dec 26, 2012
·
3 revisions
Play2x-Auth follows the Play framework's stateless policy. However, Play2x-Auth's default implementation is stateful, because the stateless implementation has the following security risk:
If user logs-in to your application in a internet-cafe, then returns home neglecting to logout. If the user logs in again at home they will not invalidate the session.
Nevertheless, you want to use a fully stateless implementation then just override the idContainer
method of AuthConfig
like this:
trait AuthConfigImpl extends AuthConfig {
// Other settings omitted.
override lazy val idContainer: IdContainer[Id] = new CookieIdContainer[Id]
}
You could also store the session data in a Relational Database by overriding the resolver.
Note: CookieIdContainer
doesn't support session timeout.