Description
This was already mentioned in #40 but I think it still applies. From looking at the code, it seems that the cookie is just the serialized Session instance and as such could easily be modified. Any signing has to be done externally, by middleware.
This means that the middleware has to be aware of the SessionStore implementation and whether the data needs to be protected or not. In the case of axum-sessions they always HMAC the cookie value, which is unnecessary given that the cookie value is just random data for most store implementations.
The docs should probably make it clear that there is no signing of the value in this crate. It would be possible for CookieStore to handle signing (and possibly encryption) of the cookie value though, which would (optionally) remove the responsibility from the various middleware implementations. I could try and put together a PR if this makes sense?
Activity