rust
50 lines · 8 steps
Signed cookie sessions in Axum
Build login, identity, and logout handlers backed by tamper-proof signed cookies in Axum.
Explained by
highlit
1use axum::{
2 extract::FromRef,
3 http::StatusCode,
4 response::{IntoResponse, Redirect},
5 Form,
6};
7use axum_extra::extract::cookie::{Cookie, Key, SignedCookieJar};
8use serde::Deserialize;
9use time::Duration;
10
11#[derive(Clone)]
12struct AppState {
13 cookie_key: Key,
14}
15
16impl FromRef<AppState> for Key {
17 fn from_ref(state: &AppState) -> Self {
18 state.cookie_key.clone()
19 }
20}
21
22#[derive(Deserialize)]
23struct Login {
24 user_id: String,
25}
26
27async fn create_session(
28 jar: SignedCookieJar,
29 Form(login): Form<Login>,
30) -> impl IntoResponse {
31 let cookie = Cookie::build(("session_user", login.user_id))
32 .path("/")
33 .http_only(true)
34 .secure(true)
35 .same_site(axum_extra::extract::cookie::SameSite::Lax)
36 .max_age(Duration::days(7));
37
38 (jar.add(cookie), Redirect::to("/dashboard"))
39}
40
41async fn current_user(jar: SignedCookieJar) -> Result<String, StatusCode> {
42 match jar.get("session_user") {
43 Some(cookie) => Ok(format!("Logged in as {}", cookie.value())),
44 None => Err(StatusCode::UNAUTHORIZED),
45 }
46}
47
48async fn logout(jar: SignedCookieJar) -> impl IntoResponse {
49 (jar.remove(Cookie::from("session_user")), Redirect::to("/"))
50}
01 / 01
STEP 01
‹ swipe to step through ›
Walkthrough
Space play
←→ step
click any line
Three takeaways
- 1A signing key in shared state lets Axum verify cookies haven't been tampered with on every request.
- 2Setting http_only, secure, and same_site hardens session cookies against XSS and CSRF leakage.
- 3Returning a tuple of jar plus response lets a handler mutate cookies and redirect in one expression.
Related explainers
rust
use std::time::Duration; use axum::{ http::{header, HeaderValue, Method},
Configuring CORS on an Axum Router
cors
middleware
http-headers
Intermediate
7 steps
rust
use axum::{ body::Bytes, extract::State, http::StatusCode,
Handling raw byte uploads in Axum
extractors
shared-state
request-limits
Intermediate
7 steps
rust
use axum::{ extract::{Query, State}, http::StatusCode, Json,
Paginated, filtered product listing in Axum
pagination
query-parameters
sql-filtering
Intermediate
8 steps
python
import time from dataclasses import dataclass, field from fastapi import Depends, FastAPI, HTTPException, Request, status
Token-bucket rate limiting in FastAPI
rate-limiting
token-bucket
dependency-injection
Advanced
10 steps
rust
use axum::{ http::StatusCode, response::{IntoResponse, Response}, Json,
How a custom error type maps to HTTP in Axum
error-handling
enums
trait-implementation
Intermediate
7 steps
javascript
import { cookies } from 'next/headers'; import { NextResponse } from 'next/server'; import { SignJWT, jwtVerify } from 'jose';
JWT session cookies in a Next.js Route Handler
authentication
jwt
cookies
Intermediate
8 steps
Share this explainer
Here's the card — post it anywhere.
Made with highlit — turn any snippet into a walkthrough like this in about a minute.
Explain your code
Embed this explainer
Drop the interactive walkthrough into a blog or docs. Views never cost a credit.
<iframe src="https://highlit.co/explainers/signed-cookie-sessions-in-axum-explained-rust-0dfa/embed?autoplay=1" width="100%" height="520" loading="lazy" style="border:0"></iframe>
Autoplay is on by default — add ?autoplay=0 to start paused.