Notes: Pure Stateless vs Stateful implementation

Stateless vs Stateful implementation.

Play20-auth follows the Play framework's stateless policy. However, Play20-auth's default implementation is stateful, because the stateless implementation has the following security risk:

If user logs-in to your application in a internet-cafe, then returns home neglecting to logout. If the user logs in again at home they will not invalidate the session.

Nevertheless, you want to use a fully stateless implementation then just override the resolver method of AuthConfig like this:

trait AuthConfigImpl extends AuthConfig {

  // Other settings omitted.

  override def resolver[A](implicit request: Request[A]) =
    new CookieRelationResolver[Id, A](request)

}

You could also store the session data in a Relational Database by overriding the resolver.

Note: CookieRelationResolver doesn't support session timeout.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Notes: Pure Stateless vs Stateful implementation

Stateless vs Stateful implementation.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally