文档

§配置会话Cookie

Play使用浏览器中的会话Cookie存储会话。在编程时,您通常会通过Scala APIJava API访问会话,但有一些有用的配置设置。

会话和闪存Cookie存储在JSON Web令牌(JWT)格式中。编码对Play是透明的,但JWT有一些有用的属性可以用于会话Cookie,并且可以通过application.conf进行配置。请注意,JWT通常用于HTTP标头值,而这并非此处生效 - 此外,JWT使用密钥进行签名,但不会被Play加密。

§不支持之前

创建会话Cookie时,JWT中的“发出时间”iat和“不早于”nbf声明将设置为Cookie创建的时间,这将阻止Cookie在当前时间之前被接受。

§会话超时/过期

默认情况下,Session 没有技术超时。它在用户关闭网页浏览器时过期。如果您需要为特定应用程序设置功能性超时,您可以通过在 application.conf 中配置键 play.http.session.maxAge 来设置会话 cookie 的最大生存期,这也会将 play.http.session.jwt.expiresAfter 设置为相同的值。maxAge 属性将从浏览器中删除 cookie,并且 JWT exp 声明将被设置在 cookie 中,并在给定时间段后使其失效。

会话 cookie 使用 JWT cookie 编码。如果您愿意,可以通过在 application.conf 文件中切换到 play.api.mvc.LegacyCookiesModule 来恢复到 URL 编码 cookie 编码。

play.modules.disabled+="play.api.mvc.CookiesModule"
play.modules.enabled+="play.api.mvc.LegacyCookiesModule"

§会话配置

默认会话配置如下

# Session configuration
session = {

  # The cookie name
  cookieName = "PLAY_SESSION"

  # Whether the secure attribute of the cookie should be set to true
  secure = false

  # The max age to set on the cookie.
  # If null, the cookie expires when the user closes their browser.
  # An important thing to note, this only sets when the browser will discard the cookie.
  maxAge = null

  # Whether the HTTP only attribute of the cookie should be set to true
  httpOnly = true

  # The value of the SameSite attribute of the cookie. Set to null for no SameSite attribute.
  # Possible values are "lax", "strict" and "none". If misconfigured it's set to null.
  sameSite = "lax"

  # The domain to set on the session cookie
  # If null, does not set a domain on the session cookie.
  domain = null

  # The session path
  # Must start with /.
  path = ${play.http.context}

  jwt {
    # The JWT signature algorithm to use on the session cookie
    # uses 'alg' https://tools.ietf.org/html/rfc7515#section-4.1.1
    signatureAlgorithm = "HS256"

    # The time after which the session is automatically invalidated.
    # Use 'exp' https://tools.ietf.org/html/rfc7519#section-4.1.4
    expiresAfter = ${play.http.session.maxAge}

    # The amount of clock skew to accept between servers when performing date checks
    # If you have NTP or roughtime synchronizing between servers, you can enhance
    # security by tightening this value.
    clockSkew = 5 minutes

    # The claim key under which all user data is stored in the JWT.
    dataClaim = "data"
  }
}

下一步:配置 JDBC 连接池

发现此文档中的错误?此页面的源代码可以在 这里 找到。阅读完 文档指南 后,请随时贡献拉取请求。有疑问或建议要分享?前往 我们的社区论坛 与社区开始对话。