Sessions & login
Signed-cookie sessions for admin, operators, and tenant users.
Sessions are signed cookies (HMAC-SHA256) keyed by RUSTANGO_SESSION_SECRET. The SessionUser extractor authenticates tenant users; SessionOperator guards the operator console. Server-side opaque sessions are available via the sessions feature.
Set a real secret
In production set a strong RUSTANGO_SESSION_SECRET (32+ bytes). The dev default is not safe.