Javadoc
The current HTTP session. The Play! session is not living on the server side but on the client side. In fact, it
is stored in a signed cookie. This session is therefore limited to 4kb.
From Wikipedia:
Client-side sessions use cookies and cryptographic techniques to maintain state without storing as much data on
the server. When presenting a dynamic web page, the server sends the current state data to the client (web
browser) in the form of a cookie. The client saves the cookie in memory or on disk. With each successive request,
the client sends the cookie back to the server, and the server uses the data to "remember" the state of the
application for that specific client and generate an appropriate response. This mechanism may work well in some
contexts; however, data stored on the client is vulnerable to tampering by the user or by software that has
access to the client computer. To use client-side sessions where confidentiality and integrity are required, the
following must be guaranteed: Confidentiality: Nothing apart from the server should be able to interpret session
data. Data integrity: Nothing apart from the server should manipulate session data (accidentally or maliciously).
Authenticity: Nothing apart from the server should be able to initiate valid sessions. To accomplish this, the
server needs to encrypt the session data before sending it to the client, and modification of such information by
any other party should be prevented via cryptographic means. Transmitting state back and forth with every request
is only practical when the size of the cookie is small. In essence, client-side sessions trade server disk space
for the extra bandwidth that each web request will require. Moreover, web browsers limit the number and size of
cookies that may be stored by a web site. To improve efficiency and allow for more session data, the server may
compress the data before creating the cookie, decompressing it later when the cookie is returned by the client.
Note: The ControllersEnhancer makes sure that an appropriate thread local version is applied. ie :
controller.session - controller.session.current()