Play framework security issue regarding cookies and sessions

Question

For my app I\'m implementing the same security as shown in the zentask.

public class Secured extends Authenticator {

@Override
public String getUsername(Context         


        

Answer 1

• I would recommend to have one module which will generate session ids for you. In this module you can have some method like createSessionId() or something. Logic of generating session Id you keep in this method.

• I would create session ID as a combination of (userId + providerId(Facebook/Google-in case of OAuth/UsernamePassword/Any Provider) + current timestamp + UUID) and after creating this session Id, I will encrypt it with some algorithm. This will give me session Id

• Advantage with this would be :

  • Though generating session ID will take time, no body would make sense of it.
  • Another advantage would be, you can change your encryption logic / strategy of creating session IDs anytime in createSessionId() method.
    
    
• Another problem with session in Playframework is there is no expiry for session :
  • To handle this, as soon as user logs in, we can store timestamp in session i.e. nothing but in cookie(by encrypting may be ?)
  • Now for every request check timestamp in session. If timestamp is greater than say 30-min old, invalidate the session. If timestamp is not greater than 30-min, update timestamp in session as current timestamp