Expand description
§Salvo Session Support
Salvo’s session middleware is built on top of
async-session.
See a complete example: session-login
Sessions allow Salvo applications to securely attach data to browser sessions, enabling retrieval and modification of this data on subsequent visits. Session data is typically retained only for the duration of a browser session.
§Stores
It is highly recommended to use an external-datastore-backed session storage for production Salvo applications. For a list of currently available session stores, see the documentation for async-session.
§Security
While each session store may have different security implications, Salvo’s session system works as follows:
On each request, Salvo checks for the cookie specified by cookie_name
in the handler configuration.
§When no cookie is found:
- A cryptographically random cookie value is generated
- A cookie is set on the outbound response and signed with an HKDF key
derived from the
secretprovided when creating the SessionHandler - The session store uses a SHA256 digest of the cookie value to store the session along with an optional expiry time
§When a cookie is found:
- The HKDF-derived signing key verifies the cookie value’s signature
- If verification succeeds, the value is passed to the session store to retrieve the associated Session
- For most session stores, this involves taking a SHA256 digest of the cookie value and retrieving a serialized Session from an external datastore
§Expiry Handling
Sessions include expiry information in both the cookie and the serialization format. Even if an adversary tampers with a cookie’s expiry, Salvo validates the expiry on the contained session before using it.
§Error Handling
If any failures occur during session retrieval, a new empty session is generated for the request, which proceeds through the application normally.
§Stale/Expired Session Cleanup
Any session store (except the cookie store) will accumulate stale sessions over time. Although Salvo ensures expired sessions won’t be used, it remains the application’s responsibility to periodically call cleanup on the session store if required.
Read more: https://salvo.rs
Structs§
- Cookie
Store - A session store that serializes the entire session into a Cookie.
- Handler
Builder HandlerBuilderis a builder forSessionHandler.- Memory
Store - in-memory session store
- Session
- The main session type.
- Session
Handler SessionHandleris a middleware for session.
Constants§
- SESSION_
KEY - Key for store data in depot.
Traits§
- Session
Depot Ext - Trait for
Depotto get and set session. - Session
Store - An async session backend.