Fix tests, add docs.

ninja-core/src/site/markdown/documentation/basic_concepts/sessions.md

@@ -95,6 +95,31 @@ public Result clearSession(Session session) {
 }
 </pre>
 
+Session Expiry
+--------------
+
+The session cookie can have an expiry time set.  The expiry time is checked every time
+a request is made.  By default no expiry time is set, but one can be configured in
+<code>conf/application.conf</code> with the
+<code>application.session.expire_time_in_seconds</code> property (see below).  This can
+also be set in code <code>setExpiryTime()</code>.
+
+<pre class="prettyprint">
+public Result login(@Param("rememberMe") Boolean rememberMe,
+                    Session session) {
+
+    if (rememberMe != null && rememberMe) {
+        // Set the expiry time 30 days (in milliseconds) in the future
+        session.setExpiryTime(30 * 24 * 60 * 60 * 1000L);
+    } else {
+        // Set the expiry time 1 hour in the future
+        session.setExpiryTime(60 * 60 * 1000L);
+    }
+
+    return Results.html();
+}
+</pre>
+
 Disabling secure (HTTPS) flag for sessions during development
 -------------------------------------------------------------
 
@@ -130,9 +155,10 @@ and bar.example.com:
 application.cookie.domain = .example.com
 </pre>
 
-The time until a session expires (in seconds). By default, a session does not
-have an expiry time. For example, to set a session to expire after one minute
-of inactivity:
+The time until a session expires (in seconds).  By default, a session does not
+have an expiry time set.  However, the browser may expire the session cookie,
+typically after the browser is closed (this can vary based on browser settings).
+To set a session to expire after one minute of inactivity:
 
 <pre class="prettyprint">
 application.session.expire_time_in_seconds = 60
@@ -158,16 +184,9 @@ he does. When send_only_if_changed is false, the session cookie and its expirati
 time is refreshed on every HTTP response.
 </div>
 
-To only send session cookies over HTTPS by including the secure flag.  To disable
-this flag:
-
-<pre class="prettyprint">
-application.session.transferred_over_https_only = false
-</pre>
-
-To set the HttpOnly flag on the session cookie. On a supported browser, an
-HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests,
-thus restricting access from other, non-HTTP APIs (such as JavaScript). This
+The <code>application.session.http_only</code> property can be used to mark the
+session cookie as HTTP Only when sent over HTTP/HTTPS.  On supported browsers, the
+HTTP Only flag will prevent JavaScript from accessing the session cookie.  This
 restriction mitigates but does not eliminate the threat of session cookie theft
 via cross-site scripting (XSS).  To disable this flag:
 

ninja-servlet-jpa-blog-archetype/src/main/resources/archetype-resources/src/main/java/controllers/LoginLogoutController.java

@@ -22,13 +22,13 @@
 import ninja.Context;
 import ninja.Result;
 import ninja.Results;
+import ninja.params.Param;
 import ninja.session.Session;
 
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 
 import dao.UserDao;
-import models.LoginDto;
 
 @Singleton
 public class LoginLogoutController {
@@ -46,16 +46,18 @@ public Result login(Context context) {
 
     }
 
-    public Result loginPost(LoginDto loginForm,
+    public Result loginPost(@Param("username") String username,
+                            @Param("password") String password,
+                            @Param("rememberMe") Boolean rememberMe,
                             Context context) {
 
-        boolean isUserNameAndPasswordValid = userDao.isUserAndPasswordValid(loginForm.username, loginForm.password);
+        boolean isUserNameAndPasswordValid = userDao.isUserAndPasswordValid(username, password);
 
         if (isUserNameAndPasswordValid) {
             Session session = context.getSession();
-            session.put("username", loginForm.username);
+            session.put("username", username);
 
-            if (loginForm.rememberMe != null && loginForm.rememberMe) {
+            if (rememberMe != null && rememberMe) {
                 session.setExpiryTime(24 * 60 * 60 * 1000L);
             }
 
@@ -66,8 +68,8 @@ public Result loginPost(LoginDto loginForm,
         } else {
 
             // something is wrong with the input or password not found.
-            context.getFlashScope().put("username", loginForm.username);
-            context.getFlashScope().put("rememberMe", loginForm.rememberMe);
+            context.getFlashScope().put("username", username);
+            context.getFlashScope().put("rememberMe", rememberMe);
             context.getFlashScope().error("login.errorLogin");
 
             return Results.redirect("/login");

ninja-servlet-jpa-blog-archetype/src/main/resources/archetype-resources/src/main/java/dao/UserDao.java

@@ -44,7 +44,7 @@ public boolean isUserAndPasswordValid(String username, String password) {
 
             EntityManager entityManager = entityManagerProvider.get();
 
-            TypedQuer<User> q = entityManager.createQuery("SELECT x FROM User x WHERE username = :usernameParam");
+            TypedQuery<User> q = entityManager.createQuery("SELECT x FROM User x WHERE username = :usernameParam", User.class);
             User user = getSingleResult(q.setParameter("usernameParam", username));
 
             if (user != null) {

ninja-servlet-jpa-blog-archetype/src/main/resources/archetype-resources/src/main/java/views/LoginLogoutController/login.ftl.html

@@ -34,7 +34,7 @@
                     <div class="col-lg-8 pull-right">
                         <div class="pull-right">
                             <input name="rememberMe" type="checkbox" value="true"
-                                   <#if flash.rememberMe?? && flash.rememberMe == "true">checked</#if>>
+                                   <${symbol_pound}if flash.rememberMe?? && flash.rememberMe == "true">checked</${symbol_pound}if>>
                             <label for="rememberMe"> Remember me </label>
                         </div>
                     </div>

ninja-servlet-jpa-blog-integration-test/src/main/java/controllers/LoginLogoutController.java

@@ -19,13 +19,13 @@
 import ninja.Context;
 import ninja.Result;
 import ninja.Results;
+import ninja.params.Param;
 import ninja.session.Session;
 
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 
 import dao.UserDao;
-import models.LoginDto;
 
 @Singleton
 public class LoginLogoutController {
@@ -43,16 +43,18 @@ public Result login(Context context) {
 
     }
 
-    public Result loginPost(LoginDto loginForm,
+    public Result loginPost(@Param("username") String username,
+                            @Param("password") String password,
+                            @Param("rememberMe") Boolean rememberMe,
                             Context context) {
 
-        boolean isUserNameAndPasswordValid = userDao.isUserAndPasswordValid(loginForm.username, loginForm.password);
+        boolean isUserNameAndPasswordValid = userDao.isUserAndPasswordValid(username, password);
 
         if (isUserNameAndPasswordValid) {
             Session session = context.getSession();
-            session.put("username",loginForm.username);
+            session.put("username", username);
 
-            if (loginForm.rememberMe != null && loginForm.rememberMe) {
+            if (rememberMe != null && rememberMe) {
                 session.setExpiryTime(24 * 60 * 60 * 1000L);
             }
 
@@ -63,8 +65,8 @@ public Result loginPost(LoginDto loginForm,
         } else {
 
             // something is wrong with the input or password not found.
-            context.getFlashScope().put("username", loginForm.username);
-            context.getFlashScope().put("rememberMe", loginForm.rememberMe);
+            context.getFlashScope().put("username", username);
+            context.getFlashScope().put("rememberMe", rememberMe);
             context.getFlashScope().error("login.errorLogin");
 
             return Results.redirect("/login");