Enum Cookies
pub enum Cookies<'a> {
// some variants omitted
}
Expand description
Collection of one or more HTTP cookies.
The Cookies
type allows for retrieval of cookies from an incoming request
as well as modifications to cookies to be reflected by Rocket on outgoing
responses. Cookies
is a smart-pointer; it internally borrows and refers to
the collection of cookies active during a request’s life-cycle.
§Usage
A type of Cookies
can be retrieved via its FromRequest
implementation as
a request guard or via the Request::cookies()
method. Individual cookies
can be retrieved via the get()
and get_private()
methods. Cookies
can be added or removed via the add()
, add_private()
, remove()
,
and remove_private()
methods.
§Examples
The following short snippet shows Cookies
being used as a request guard in
a handler to retrieve the value of a “message” cookie.
use rocket::http::Cookies;
#[get("/message")]
fn message(cookies: Cookies) -> Option<String> {
cookies.get("message").map(|c| format!("Message: {}", c.value()))
}
The following snippet shows Cookies
being retrieved from a Request
in a
custom request guard implementation for User
. A private cookie
containing a user’s ID is retrieved. If the cookie exists and the ID parses
as an integer, a User
structure is validated. Otherwise, the guard
forwards.
use rocket::http::Status;
use rocket::outcome::IntoOutcome;
use rocket::request::{self, Request, FromRequest};
// In practice, we'd probably fetch the user from the database.
struct User(usize);
impl<'a, 'r> FromRequest<'a, 'r> for User {
type Error = !;
fn from_request(request: &'a Request<'r>) -> request::Outcome<User, !> {
request.cookies()
.get_private("user_id")
.and_then(|cookie| cookie.value().parse().ok())
.map(|id| User(id))
.or_forward(())
}
}
§Private Cookies
Private cookies are just like regular cookies except that they are encrypted using authenticated encryption, a form of encryption which simultaneously provides confidentiality, integrity, and authenticity. This means that private cookies cannot be inspected, tampered with, or manufactured by clients. If you prefer, you can think of private cookies as being signed and encrypted.
Private cookies can be retrieved, added, and removed from a Cookies
collection via the get_private()
, add_private()
, and
remove_private()
methods.
§Encryption Key
To encrypt private cookies, Rocket uses the 256-bit key specified in the
secret_key
configuration parameter. If one is not specified, Rocket will
automatically generate a fresh key. Note, however, that a private cookie can
only be decrypted with the same key with which it was encrypted. As such, it
is important to set a secret_key
configuration parameter when using
private cookies so that cookies decrypt properly after an application
restart. Rocket will emit a warning if an application is run in production
mode without a configured secret_key
.
Generating a string suitable for use as a secret_key
configuration value
is usually done through tools like openssl
. Using openssl
, for instance,
a 256-bit base64 key can be generated with the command openssl rand -base64 32
.
Implementations§
§impl<'a> Cookies<'a>
impl<'a> Cookies<'a>
pub fn get(&self, name: &str) -> Option<&Cookie<'static>>
pub fn get(&self, name: &str) -> Option<&Cookie<'static>>
Returns a reference to the Cookie
inside this container with the name
name
. If no such cookie exists, returns None
.
§Example
use rocket::http::Cookies;
fn handler(cookies: Cookies) {
let cookie = cookies.get("name");
}
pub fn add(&mut self, cookie: Cookie<'static>)
pub fn add(&mut self, cookie: Cookie<'static>)
Adds cookie
to this collection.
§Example
use rocket::http::{Cookie, Cookies};
fn handler(mut cookies: Cookies) {
cookies.add(Cookie::new("name", "value"));
let cookie = Cookie::build("name", "value")
.path("/")
.secure(true)
.finish();
cookies.add(cookie);
}
pub fn remove(&mut self, cookie: Cookie<'static>)
pub fn remove(&mut self, cookie: Cookie<'static>)
Removes cookie
from this collection and generates a “removal” cookies
to send to the client on response. For correctness, cookie
must
contain the same path
and domain
as the cookie that was initially
set. Failure to provide the initial path
and domain
will result in
cookies that are not properly removed.
A “removal” cookie is a cookie that has the same name as the original cookie but has an empty value, a max-age of 0, and an expiration date far in the past.
§Example
use rocket::http::{Cookie, Cookies};
fn handler(mut cookies: Cookies) {
cookies.remove(Cookie::named("name"));
}
§impl<'a> Cookies<'a>
impl<'a> Cookies<'a>
pub fn get_private(&mut self, name: &str) -> Option<Cookie<'static>>
pub fn get_private(&mut self, name: &str) -> Option<Cookie<'static>>
Returns a reference to the Cookie
inside this collection with the name
name
and authenticates and decrypts the cookie’s value, returning a
Cookie
with the decrypted value. If the cookie cannot be found, or the
cookie fails to authenticate or decrypt, None
is returned.
This method is only available when the private-cookies
feature is
enabled.
§Example
use rocket::http::Cookies;
fn handler(mut cookies: Cookies) {
let cookie = cookies.get_private("name");
}
pub fn add_private(&mut self, cookie: Cookie<'static>)
pub fn add_private(&mut self, cookie: Cookie<'static>)
Adds cookie
to the collection. The cookie’s value is encrypted with
authenticated encryption assuring confidentiality, integrity, and
authenticity. The cookie can later be retrieved using
get_private
and removed using
remove_private
.
Unless a value is supplied for the given key, the following defaults are
set on cookie
before being added to self
:
path
:"/"
SameSite
:Strict
HttpOnly
:true
Expires
: 1 week from now
These defaults ensure maximum usability and security. For additional
security, you may wish to set the secure
flag.
This method is only available when the private-cookies
feature is
enabled.
§Example
use rocket::http::{Cookie, Cookies};
fn handler(mut cookies: Cookies) {
cookies.add_private(Cookie::new("name", "value"));
}
pub fn remove_private(&mut self, cookie: Cookie<'static>)
pub fn remove_private(&mut self, cookie: Cookie<'static>)
Removes the private cookie
from the collection.
For correct removal, the passed in cookie
must contain the same path
and domain
as the cookie that was initially set. If a path is not set
on cookie
, the "/"
path will automatically be set.
This method is only available when the private-cookies
feature is
enabled.
§Example
use rocket::http::{Cookie, Cookies};
fn handler(mut cookies: Cookies) {
cookies.remove_private(Cookie::named("name"));
}