Rustango docs

Sessions & login

Signed-cookie sessions for admin, operators, and tenant users.

Sessions are signed cookies (HMAC-SHA256) keyed by RUSTANGO_SESSION_SECRET. The SessionUser extractor authenticates tenant users; SessionOperator guards the operator console. Server-side opaque sessions are available via the sessions feature.

Set a real secret

In production set a strong RUSTANGO_SESSION_SECRET (32+ bytes). The dev default is not safe.