Module session 

Session management — opaque server-side sessions backed by crate::store::SessionStore.

Plan 11 reference: “auth.session” — an opaque session id (random 32 bytes, base64url) plus a parallel CSRF token. The cookie value is the session id; the server resolves it against the store on every request. Revocation is a single DELETE — no JWT-style “wait for expiry” footgun.

SessionManager is the entry point. Cookie helpers (cookie_for, csrf_cookie_for) build the standard cookie pair (HttpOnly + Secure session cookie, JS-readable CSRF cookie) used by the double-submit pattern.

Phase 8 adds a HTTP router under router that mounts the session-facing endpoints (/login, /logout, /whoami, passkey ceremony). The auth top-level router merges this in.

Structs

SessionManager

Owns the SessionStore and mints / resolves / revokes sessions.

Constants

CSRF_COOKIE

Cookie name carrying the CSRF token. NOT HttpOnly — client JS reads this and echoes it in a request header (double-submit pattern).

DEFAULT_SESSION_DURATION

Default session lifetime — 30 days. Matches typical “remember me” expectations; per-deployment configuration overrides via SessionManager::new.

SESSION_COOKIE

Cookie name carrying the opaque session id. HttpOnly — never read by browser JS.

Functions

cookie_for

Build the HttpOnly session cookie that carries the opaque id.

csrf_cookie_for

Build the parallel CSRF cookie. Same path / max-age as the session cookie but NOT HttpOnly so client JS can echo the value in a request header on state-changing requests (double-submit pattern).

router

Build the session router. Generic over a parent state S from which AuthCtx is extractable via axum::extract::FromRef.