I have a Play 2.0.4 web app that uses SecureSocial to allow users to log in through third-party providers like twitter, facebook, and gmail. At that point, I am not using my own UsernamePasswordProvider; maybe I'll add it later.
I need my users to stay logged in for a long time, maybe a week. In my case, the user session is just used for various convenience features like customizations, so the risks associated with long lived sessions are definitely less important than the convenience of not having to log in every time.
It looks like currently the session is stored in an ephemeral cookie that goes away when the user terminates the browser. There is a sessionTimeOut parameter in the config file, but it's purpose seems to be terminating a session in a browser that stays open for a long time. At least, the session is interrupted immediately when I close and reopen the browser even if this timeout is set to a large number.
What is the recommended way of keeping the users logged in for a long time?
The latest snapshot from master (for Play 2.1) has a new property that makes the authenticator cookie persistent if you need that. In your config file you can add:
securesocial.cookie.makeTransient=false
securesocial.cookie.absoluteTimeoutInMinutes=1440
securesocial.cookie.idleTimeoutInMinutes=1440
That would make the cookie persistent and make the session last 24hs.