Justin du Coeur (jducoeur) wrote,
Justin du Coeur

Non-Transient Sessions in Play

A brief Nota Bene for users of Play Framework, mostly in case anyone else hits this silly problem and winds up in the same boat I've been in.

Querki has, until now, been entirely based on transient session cookies -- your session expires when you close the browser. That works okay on the desktop, since many of us *never* close our browsers, but turns out to suck on mobile: both Mobile Chrome and Mobile Safari seem to lose their transient cookies kind of at whim. (There's probably a definition of when somewhere, but I haven't found it yet.) Problem is, the Play Framework that Querki is built on has no documented way to set up a *non*-transient session. This has had me tearing my hair out for a year now.

Turns out that the answer, as usual, is to look at the source code. (Yay for open source.) It turns out that there is an as-far-as-I-can-tell-undocumented "session.maxAge" configuration variable, which sets the max-age setting on the session cookies, which is exactly what you want in the real world. There are also config variables for the other major aspects of the session cookie.

So as far as I can tell, to manage your session cookies, you want to use this config structure:
session {
  maxAge : nnnn  # Number of milliseconds for a session to live; if not specified, session is transient
  secure : true/false  # Whether to require HTTPS for a valid session cookie, default false
  httpOnly : true  # Whether to prevent JavaScript from accessing the session cookie, default true
  domain : xxxx  # The domain to use for the session cookie?  Not sure
I'll be trying this out on Querki later today; hopefully it'll fix the problem.
Tags: programming, typesafe

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded