How to keep SecureSocial users logged in?

Question

I have a Play 2.0.4 web app that uses SecureSocial to allow users to log in through third-party providers like twitter, facebook, and gmail. At that point, I am not using my own UsernamePasswordProvider; maybe I'll add it later.

I need my users to stay logged in for a long time, maybe a week. In my case, the user session is just used for various convenience features like customizations, so the risks associated with long lived sessions are definitely less important than the convenience of not having to log in every time.

It looks like currently the session is stored in an ephemeral cookie that goes away when the user terminates the browser. There is a sessionTimeOut parameter in the config file, but it's purpose seems to be terminating a session in a browser that stays open for a long time. At least, the session is interrupted immediately when I close and reopen the browser even if this timeout is set to a large number.

What is the recommended way of keeping the users logged in for a long time?

Answer 1

The latest snapshot from master (for Play 2.1) has a new property that makes the authenticator cookie persistent if you need that. In your config file you can add:

securesocial.cookie.makeTransient=false
securesocial.cookie.absoluteTimeoutInMinutes=1440
securesocial.cookie.idleTimeoutInMinutes=1440

That would make the cookie persistent and make the session last 24hs.

Answer 2

For Play 2.2 you need to add cookie section to securesocial.conf file like:

cookie {
    name=id
    path=/
    httpOnly=true
    idleTimeoutInMinutes=1440
    absoluteTimeoutInMinutes=1440
}

Answer 3

the configs are defined and used here: CookieAuthenticator

you can mouse over the variable and see how the configs are used.

the two config: absoluteTimeout and idleTimeout is used for different purpose, this line controls when will the cookie be seen as valid

so I suggest you use a much bigger value for absoluteTimeoutInMinutes than the other one