Expand description
Per-session CSRF tokens.
Each session carries its own 256-bit random token, distinct
from the session id. Admin forms render it in a hidden
_csrf input; POST handlers validate it with a constant-time
compare before touching persistent state.
The design is stateful — the token lives alongside the
session in rustio_sessions.csrf_token. Logging out or
rotating the session (via password change) invalidates the
token together with the session.
Functions§
- generate_
token - Generate a fresh CSRF token with the same entropy as a session
id. Called by
super::session::createfor every new session. - verify_
token - Constant-time comparison of two token strings.