Functions for creating and parsing signed & encrypted cookies.
The cookie crate is the de facto secure cookie library in Rust. It is Way Too Complicated (TM) for what I need. (And, in my opinion, for what most people need.) This is the 80% solution for 20% of the effort.
This library has only four goals:
- A simple, easily auditable implementation of signing, encrypting, decrypting & verifying cookies.
- Clear comments pointing out security issues and describing how to avoid them.
- no_std & no_alloc support. (Because why allocate if you don't need to?)
- Never panic
The goals of this library are not:
- Automatically detecting when a new Set-Cookie header is required.
- Tracking changes to cookies.
- Validating cookie name compliance with RFC6265. (Just don't use any weird cookie names.)
- Any kind of cookie "jar" functionality.
- Literally anything else.
Basic use
With the rand and std features enabled (they are enabled by default), you just need three function calls:
use ;
let signing_key = generate_signing_key;
let encoded = encode_cookie;
let decoded = decode_cookie;
assert_eq!;
You probably want an actual Set-Cookie header. You can build one pretty easily:
use ;
let signing_key = generate_signing_key;
let encoded = encode_cookie;
// You might find the docs for the Set-Cookie header on MDN helpful: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
let header = format!;
Then, to decrypt a header:
use ;
// You can create your own key or load it from somewhere.
// Don't use all zeros like this though. See the documentation for SigningKey for more info.
let signing_key = ;
// This is a standard HTTP Cookie header, pretty much exactly what the browser sends to your server.
let header = b"Cookie: session=mbccnoonilihadcgdodlnebagojggejpcljodhghaeglnomdpjhekoiepiljopgd; another-cookie=another-value";
// parse_cookie_header_value doesn't expect the header name.
// You don't normally need this step since HTTP libraries typically automatically parse
// the header name & value into separate parts of a tuple or struct or something.
let header = &header;
// parse_cookie_header_value returns an iterator, so you can use it in a for loop or something.
// I'll just find the cookie we're interested in here.
let = parse_cookie_header_value.find.unwrap;
println!;
println!;
let value = decode_cookie;
assert!
Advanced Use
You can use this library without std or the rand crate by setting default-features = false.
let data = ;
const ENCODE_BUFFER_SIZE: usize = 62; // or use: simple_cookie::encoded_buffer_size(data.len())
const DECODE_BUFFER_SIZE: usize = 3; // or use: simple_cookie::decode_buffer_size(encoded_buffer_size)
// Up to you to generate a signing key without the rand crate.
// See the docs on the [SigningKey] type for more info.
let signing_key = ;
// Up to you to generate an nonce without the rand crate.
// See the docs on [encode_cookie_advnaced] for requirements.
let nonce = ;
let mut encoded = ;
// The advanced version of encode_cookie takes an explicit nonce
// (rather than generating it automatically with the rand crate)
// and a mutable buffer to write into (rather than returning a Vec).
let output =
encode_cookie_advanced
.unwrap;
// Decoding is similar. Make sure you use the same signing key
// to decode that you used to encode!
let mut decoded = ;
decode_cookie_advanced
.unwrap;
assert_eq!;