rust 50 lines · 8 steps

Signed cookie sessions in Axum

Build login, identity, and logout handlers backed by tamper-proof signed cookies in Axum.

Explained by highlit
1use axum::{
2 extract::FromRef,
3 http::StatusCode,
4 response::{IntoResponse, Redirect},
5 Form,
6};
7use axum_extra::extract::cookie::{Cookie, Key, SignedCookieJar};
8use serde::Deserialize;
9use time::Duration;
10 
11#[derive(Clone)]
12struct AppState {
13 cookie_key: Key,
14}
15 
16impl FromRef<AppState> for Key {
17 fn from_ref(state: &AppState) -> Self {
18 state.cookie_key.clone()
19 }
20}
21 
22#[derive(Deserialize)]
23struct Login {
24 user_id: String,
25}
26 
27async fn create_session(
28 jar: SignedCookieJar,
29 Form(login): Form<Login>,
30) -> impl IntoResponse {
31 let cookie = Cookie::build(("session_user", login.user_id))
32 .path("/")
33 .http_only(true)
34 .secure(true)
35 .same_site(axum_extra::extract::cookie::SameSite::Lax)
36 .max_age(Duration::days(7));
37 
38 (jar.add(cookie), Redirect::to("/dashboard"))
39}
40 
41async fn current_user(jar: SignedCookieJar) -> Result<String, StatusCode> {
42 match jar.get("session_user") {
43 Some(cookie) => Ok(format!("Logged in as {}", cookie.value())),
44 None => Err(StatusCode::UNAUTHORIZED),
45 }
46}
47 
48async fn logout(jar: SignedCookieJar) -> impl IntoResponse {
49 (jar.remove(Cookie::from("session_user")), Redirect::to("/"))
50}
01 / 01
STEP 01

Walkthrough

Space play step click any line
Three takeaways
  1. 1A signing key in shared state lets Axum verify cookies haven't been tampered with on every request.
  2. 2Setting http_only, secure, and same_site hardens session cookies against XSS and CSRF leakage.
  3. 3Returning a tuple of jar plus response lets a handler mutate cookies and redirect in one expression.

Related explainers

Share this explainer

Here's the card — post it anywhere.

Signed cookie sessions in Axum — share card
Made with highlit — turn any snippet into a walkthrough like this in about a minute.
Explain your code