Skip to content

Update session_auth_axum example #4033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 2, 2025
Merged

Update session_auth_axum example #4033

merged 2 commits into from
Jun 2, 2025

Conversation

gbj
Copy link
Collaborator

@gbj gbj commented May 30, 2025

There's a bunch of ceremony in the current version of the example that is no longer necessary in the present version of the framework: specifically the custom handlers are not needed.

@gbj gbj mentioned this pull request May 30, 2025
Open
4 tasks
@gbj gbj force-pushed the update_session_auth branch from afeac46 to 0df6cd7 Compare May 30, 2025 22:32
@ricketyboo
Copy link

ricketyboo commented Jun 2, 2025
edited
Loading

I was just about to make a stab at updating this project and then saw you'd already done so! Thank you!

FWIW if you want a safety check, I've pulled this branch and run it everything seems okay bar one thing that is probably pre-existing

  • ✔️ Guest can add Todo
  • ✔️ Todo is associated to Guest when created by Guest
  • ✔️ Guest can delete Todo
  • ✔️ Guest can create an account
  • ✔️ Guest can log into to account
  • ✔️ Logged in user can add Todo
  • ✔️ Todo is associated to logged in user when created by Guest
  • ✔️ Logged in user can delete Todo
  • ✔️ Users in different browsers can interact with the same running app and see each others updates after refresh
  • ❓ Remember me session cookie is set to expire ~3 months from today regardless of what was selected. This means closing the browser doesn't actually log the user out as the cookie doesn't clear and the session is kept alive on reopening. I suspect this isn't due to your changes and is just a configuration/implementation detail with axum_session_auth itself but I can't actually run the prior code to check so just thought I'd mention it!

@gbj
Copy link
Collaborator Author

gbj commented Jun 2, 2025

Thanks! I'm just going to leave it as the "Remember me" session cookie as is, because I didn't touch it here, and am just trying to update the preexisting example that someone else contributed. If you want to make a PR to fix it that's very welcome!

@gbj gbj merged commit 829b07b into main Jun 2, 2025
267 checks passed
@gbj gbj deleted the update_session_auth branch June 2, 2025 23:44
@ricketyboo
Copy link

After digging into axum_session, and spending some more time thinking about the UX around dropping a session on browser close vs aligning to server session timeout, I've decided this is really dependent on application needs (security vs user convenience) and there's no "right" pattern here.

Juggling the conditionals to deal with server session time and a browser session is probably more complicated than this example needs to be so I won't touch it, as the project is doing its job fine as-is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gbj @ricketyboo