Session variables encryption in Play framework

2014-02-27 00:00:00 +0000

Main motivation for this work was to counter security issues caused by Play implementation of session variables. Session variable is a store that allows a web application to set variables related to a particular user’s session. In the traditional Java HttpServlet a session variable can be set using setAttribute() and getAttribute(). These values never leave the web application - they are stored on server side.

Play also offers session variables which may be set using session() (actual session variables) or flash() methods (short lived messages). They are stored in HTTP cookie in the client’s browser. This is clearly explained in the documentation and was motivated by stateless architecture of Play apps but nonetheless it’s causing security problems: