Expand description
Server-side session management.
Three session store implementations are provided:
SessionStore— in-processHashMap; fast, zero-config, but sessions are lost on restart. Good for single-instance deployments.- [
DbSessionStore] — backed by the model-layer [DbPool]; sessions survive restarts and are shared across multiple processes that use the same database. Requires amodel-sqlite,model-postgres, ormodel-mysqlfeature. RedisSessionStore— backed by a Redis server via a hand-rolled RESP client; scales horizontally with no shared database needed. Requires a running Redis server.
All three expose the same public API: create, create_with_id, load,
save, destroy, purge_expired, len, is_empty.
Session holds the key/value data for one session. Retrieve it with
the store’s load, mutate it, then persist changes with save.
Helper functions session_id_from_request, session_cookie, and
destroy_cookie translate between the HTTP cookie layer and the store.
§Security note
Session IDs are generated from a non-cryptographic hash of the system
clock and an atomic counter. Sufficient for most internal applications.
For public-facing services requiring unpredictable IDs, supply your own
CSPRNG via SessionStore::create_with_id.
§Example
use rust_web_server::app::App;
use rust_web_server::core::New;
use rust_web_server::session::{self, SessionStore};
use rust_web_server::header::Header;
use rust_web_server::response::{Response, STATUS_CODE_REASON_PHRASE};
struct State { sessions: SessionStore }
let app = App::with_state(State { sessions: SessionStore::new(3600) })
.post("/login", |req, _params, _conn, state| {
// verify credentials …
let mut sess = state.sessions.create();
sess.set("user_id", "42");
state.sessions.save(&sess);
let mut r = Response::new();
r.status_code = *STATUS_CODE_REASON_PHRASE.n200_ok.status_code;
r.reason_phrase = STATUS_CODE_REASON_PHRASE.n200_ok.reason_phrase.to_string();
r.headers.push(Header {
name: "Set-Cookie".to_string(),
value: session::session_cookie(&sess.id, "sid", 3600),
});
r
})
.get("/profile", |req, _params, _conn, state| {
let mut r = Response::new();
let sid = match session::session_id_from_request(&req, "sid") {
Some(id) => id,
None => {
r.status_code = *STATUS_CODE_REASON_PHRASE.n401_unauthorized.status_code;
r.reason_phrase = STATUS_CODE_REASON_PHRASE.n401_unauthorized.reason_phrase.to_string();
return r;
}
};
let sess = match state.sessions.load(&sid) {
Some(s) => s,
None => {
r.status_code = *STATUS_CODE_REASON_PHRASE.n401_unauthorized.status_code;
r.reason_phrase = STATUS_CODE_REASON_PHRASE.n401_unauthorized.reason_phrase.to_string();
return r;
}
};
let user_id = sess.get("user_id").unwrap_or("guest");
r.status_code = *STATUS_CODE_REASON_PHRASE.n200_ok.status_code;
r.reason_phrase = STATUS_CODE_REASON_PHRASE.n200_ok.reason_phrase.to_string();
r
});Structs§
- Redis
Session Store - Session store backed by a Redis server.
- Resp
Conn - A minimal RESP v2 client for issuing Redis commands.
- Session
- Data for a single session, keyed by
Session::id. - Session
Store - Thread-safe in-memory session store with TTL-based expiry.
Functions§
- destroy_
cookie - Build a
Set-Cookieheader value that clearscookie_namein the browser (Max-Age=0). Use after callingSessionStore::destroy. - session_
cookie - Build a
Set-Cookieheader value that storessession_idincookie_namewithHttpOnly,SameSite=Lax,Path=/, andMax-Age. - session_
id_ from_ request - Extract the session ID from the named cookie in a request’s
Cookieheader. ReturnsNoneif the header is absent or the cookie is missing.