Configuring the Session Cookie

Session Timeout / Expiration

There isn't a technical timeout for the Session by default. When the user exits the web browser, it becomes invalid. If a functional delay is required for a particular application, you can configure the key play to specify the session cookie's maximum age. application.conf http.session.maxAge setting will also start the video. Put the value of http.session.jwt.expiresAfter equal. The JWT exp claim will be set in the cookie and made invalid after the specified time period by the maxAge property, which also removes the cookie from the browser.

URL Encoded Cookie Encoding

The JWT cookie encoding is used by the session cookie. By selecting play.api.mvc.LegacyCookiesModule in the application.conf file, you can go back to URL-encoded cookies if you'd like to:

play.modules.disabled+="play.api.mvc.CookiesModule"
play.modules.enabled+="play.api.mvc.LegacyCookiesModule"

Session Configuration

The following describes the default session configuration:

# Session configuration
session = {


  @* Cookie name *@
  cookieName = "PLAY_SESSION"


  @* Whether the secure cookie attribute needs to be set to true *@
  secure = false


  @* Max age to set on the cookie.
   When a person quits their browser, a cookie expires if it is null.
   It's crucial to understand that this merely determines when the browser will delete the cookie. *@
  maxAge = null


  @* Whether the HTTP only cookie attribute needs to be set to true *@
  httpOnly = true


  @* The value of the SameSite attribute of the cookie. Set to null for no SameSite attribute.
   The two possible values are "strict" and "lax." If specified incorrectly, it is null. *@
  sameSite = "lax"


  @* Domain to set on the session cookie
   Does not set a domain for the session cookie if null. *@
  domain = null


  @* The session path
   Must start with /. *@
  path = ${play.http.context}


  jwt {
    @* The JWT signature algorithm to use on the session cookie
     uses 'alg' https://tools.ietf.org/html/rfc7515#section-4.1.1 *@
    signatureAlgorithm = "HS256"


    @* The time after which the session is automatically invalidated.
     Use 'exp' https://tools.ietf.org/html/rfc7519#section-4.1.4 *@
    expiresAfter = ${play.http.session.maxAge}


    @* The amount of clock skew to accept between servers when performing date checks
     If you have NTP or roughtime synchronizing between servers, you can enhance
     security by tightening this value. *@
    clockSkew = 5 minutes


    @* The claim key under which all user data is stored in the JWT. *@
    dataClaim = "data"
  }
}

Frequently Asked Questions

What does SBT stand for?

SBT stands for System Build Tools.

What is MVC?

MVC is an architectural paradigm that divides an application into three basic logical components: the model, the view, and the controller.

What is the use of the play framework?

Play Framework is a free, open-source web application based on the model-view-controller (MVC) architectural paradigm. It is built on Akka and delivers predictable and low resource usage (CPU, memory, threads) for highly scalable applications.

What is HTTP?

HTTP stands for Hypertext Transfer Protocol is an application-layer protocol for transmitting hypermedia documents, such as HTML. It was designed for communication between web browsers and web servers.

What is debugging?

It is the process of identifying and removing computer hardware or software errors.

Conclusion

In this article, we have extensively discussed configuring the session cookie.

If you want to learn more, check out our articles on What Is Web2Py?, What is Sinatra?, Why To Use Web2py?, Postbacks and Internationalization in web2py, Third Party Modules In Web2py, Tasks In Web2py, and  XML in Web2py.

Happy Coding!