How to implement " remember me " functionality in Play 2.0 framework?

Question

Hi i'm working on play20 framework with java application.For that i want to implement "remember me" functionality like gmail or facebook without cookies . i don't know how to start .Can any one help me in that ? Thank you in Advance.

Answer 1

I think you definitely need cookies. However RememberMe isn't so trivial as it's looks. I implement one for permsec in play2.0. After finish it, I found this article, which shows a lot of problems with stolen cookies.

Answer 2

Why do you want it without cookies? If you'll remove all google.* cookies it will not remember you as well.

Of course you do not need to store credentials in the cookies to keep the user logged in. Most probably you need to save some kind of ID in the database for each logged user and then store this ID as a cookie. When user comes back you have to check if stored cookie fits any of the user and if it do, just consider the user is logged in.

Of course to avoid brute force attempts you should also create additional validation cookie(s) and each time check if sets of cookies matches each other with server-side comparison.

Answer 3

I don't think it is possible without using cookies. If you want to implement this functionality with cookies, when user clicks "remember me" just let the expire date be in a distant future.