Skip to content

Latest commit

 

History

History
61 lines (38 loc) · 3.22 KB

README.md

File metadata and controls

61 lines (38 loc) · 3.22 KB

Async Typed Session Management in Rust

Version Downloads Docs

API documentation: docs.rs

Use typed-session to outsource all the low-level details of session management, such as session expiration and automatic renewal as well as change tracking of session data. Typed-session was designed to live up to the OWASP® Foundation's session security standards, with efficiency and usability in mind. With typed-session, you can take full advantage of Rust's type system to model your users' sessions.

Compatibility

Typed session acts as a middleware in a web framework, injecting session information into HTTP requests as required, and storing sessions in a database.

Currently, the following session stores are available:

  • MemoryStore, a debug session store available under the feature flag memory-store.

Currently, typed-session is integrated into the following web frameworks:

  • none so far

Typed-session has no dependency to any specific async runtime, and hence can be used with any.

Security

We have designed and implemented the crate with security in mind. Our design fulfils the requirements stated in The OWASP® Foundation's cheat sheet on session management. We additionally hash the session ids using the fast and secure hash function blake3 before storing them. To mitigate exploitable bugs we use #![forbid(unsafe_code)] to ensure everything is implemented in 100% safe Rust.

For further details, refer to the crate-level documentation.

So far, this crate has not been reviewed for security. If you have the necessary skills and wish to contribute to an open source project, please get in touch.

Contributing

Want to join us? Check out our "Contributing" guide and take a look at some of these issues:

Any contribution you intentionally submit for inclusion in the work shall be licensed under the BSD-2-Clause license.

Acknowledgements

This work is based on the crate async-session by Yoshua Wuyts and Jacob Rothstein.

License

This crate is licensed under the BSD-2-Clause license.