Store cookie even if the session is closed

Tag: session-cookies , playframework-2.0 Author: riyuezhi0430 Date: 2012-04-02

What would be the best approach for a Play! application to remember the user? I think the only possible solution is to use the client side cookies, right? But as soon as the browser shuts down, this session is destroyed and not valid for the next request? How did/do you solve(d) this?

As for now, I ser the crypted userid in the session (per session), like this:


And then I use the interceptor to avoid passing parameters every when I need them oft, like described here: How to avoid passing parameters everywhere in play2?

But how to remember the user, or even beter, automatically log the user in on the next request?

You retrieve it from the session on each request. Please take a look at the zentasks example, it shows how to do all this.
I have looked at Zentasks, but the zentasks sessions are not persisted when the browser shuts down. I want to remember the user, when he visit next day, to automatically log him in the application.. or I'm missing something?
That must be a setting in your browser, because normally the cookies are not deleted.

Other Answer1

To make the session not time-out when a users closes their browser you can use the session.maxAge parameter in the application.conf.


# Set session maximum age in seconds (4w)


+1, interesting, would be nice if we could set this on a per cookie basis. For example, I'd like to set a long expire user-email cookie, but leave the default for other scenarios. Setting a 4 week shopping cart session might be a wee bit much.
@virtualeyes Threadless keeps my shopping cart months apart and I like it.
+1 to session.maxAge - Beware that 7d, 1h aren't valid.

Other Answer2

Quoting from Play 2.0 Session Documentation:

There is no technical timeout for the Session. It expires when the user closes the web browser. If you need a functional timeout for a specific application, just store a timestamp into the user Session and use it however your application needs (e.g. for a maximum session duration, maxmimum inactivity duration, etc.).

For security reasons, modern browsers will invalidate cookies on exit, and this is not something you can change simply because it would allow hackers to bad things with credentials that they do not rightfully have.

I would reevalutate whether or not you truly want the user to stay logged in, since it is usually a security risk to do so. If, however, you decide that you still want the user to stay logged in, you will have to try something that is not cookie based, and at the moment, I'm not sure what that would look like.

Other Answer3

If you don't force a newSession or the user doesn't remove the cookies, the user should still be logged in.

It may be that your browser is set up to remove cookies when closing, or you are suffering from an external sideeffect. But I can confirm that cookies persist in my dev environment (in both Chrome and Firefox) after closing the browser.


and how do you create the PLAY_SESSION cookie? Because this cookie (that contains my userid is valid for one session :-(
@adis, Play creates that automatically, nothing you have to do about it
@PereVillega not true, close your web browser and watch your session go bye-bye (chrome cookie manager "Expires: When I close my browser"). This of course also hoses the useful store-user-email in cookie scenario to avoid forcing the user to re-type their login email over & over. Not everyone puts their machine to sleep and leaves their browser open; those that do not write angry tech support tickets.
@virtualeyes that's what I said, if the user doesn't remove them :) In firefox by default (no changes to config) that doesn't happen. If user changes config...
@PereVillega right, well Firefox isn't everything -- IE, Chrome, Safari, Opera and so on may have their own policy in regard to cookie expire on browser close. Many users our unhappy with the new site (which does look and perform quite nicely) because usability has taken a hit (before on LAMP stack I just set a long expire cookie and done with it). Going to have to find a workaround, not a good situation at present for users that restart and/or close their browser

Other Answer4

I tried this and it worked for me. It's basically a composed Action.

def RememberAction(f: Request[AnyContent] => Result): Action[AnyContent] = {
  Action { request =>
    if(!request.session.get("email").isDefined && request.cookies.get("remember-email").isDefined) {
      f(request).asInstanceOf[PlainResult].withSession("email" -> request.cookies.get("remember-email").get.value)
    } else {

Then you can use this Action in your controllers like this:

    def index = RememberAction { implicit request =>
      Ok("Hello World!")