Play framework security issue regarding cookies and sessions

Question

For my app I\'m implementing the same security as shown in the zentask.

public class Secured extends Authenticator {

@Override
public String getUsername(Context         


        

Answer 1

Your assumption is absolutely correct, you cannot invalidate a session on the server following the Zentask example. Although the session cookie is signed with the private key from the configuration file, the same value produces the same signed cookie. As you already figured out, if someone steals the cookie from a user neither the user nor you (the server) can prevent the thief from "logging into" the user's account.

There are basically two options now:

1. Store volatile information you already have about the user in the cookie that only you and the user know and changes from time to time. An example would be part of the password hash. Once the user changes the password, the information is no longer valid and all old session cookies are invalid. A downside of this method: If the user does not change the stored information, the cookie will be valid over a long time, maybe even forever.
2. Create a server-side session management. For this you have to have a database, a key-value cache or something similar. In there you store a randomly generated (cryptographically secure) key for the session, the user's name/ID and the date when the session will be automatically invalidated. You can also store the IP address to improve the security against cookie stealing. The session key must then be written into the cookie. When the user clicks on the logout button you invalidate the current session (or alternatively all sessions for this user).