Persisting sessions with axum-login and redis

adauguet · November 12, 2025, 9:55pm

Hello folks!

I am building a small server with axum-login. I replaced the MemoryStore by a RedisStore, following the example in tower-sessions-stores/redis-store.

I was expecting sessions to survive a server restart, but they do not. Is that expected or am I missing something?

Inspecting redis, I can see that the cookie is persisted when the server is down. Yet when I run it again, as soon as I run a query the cookie is being removed by axum-login.

I did not manage to decode the redis key but it seems some parts are changing (not only the argon2 sha).

Shouldn't sessions be persisted over server restart?

Here is my code, summarized:

Code

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    tracing_subscriber::fmt()
        .with_max_level(tracing::Level::DEBUG)
        .init();

    let redis_pool =
        Pool::new(Config::default(), None, None, None, 6).expect("could not create Redis pool");

    let redis_conn = redis_pool.connect();
    redis_pool.wait_for_connect().await?;

    let session_store = RedisStore::new(redis_pool);
    let session_layer = SessionManagerLayer::new(session_store)
        .with_expiry(Expiry::OnInactivity(Duration::days(1)))
        .with_secure(false);

    let backend = users::Backend::new();
    let auth_layer = AuthManagerLayerBuilder::new(backend, session_layer).build();

    let app = Router::new()
        .route(
            "/login",
            get(auth::get_login)
                .route_layer(login_required!(users::Backend))
                .delete(auth::logout)
                .route_layer(login_required!(users::Backend))
                .post(auth::post_login),
        )
        .layer(auth_layer);

    let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
    let listener = tokio::net::TcpListener::bind(addr).await.unwrap();
    axum::serve(listener, app).await.unwrap();

    redis_conn.await??;

    Ok(())
}

and also:

impl AuthnBackend for Backend {
    type User = User;
    type Credentials = Credentials;
    type Error = Error;

    async fn authenticate(
        &self,
        creds: Self::Credentials,
    ) -> Result<Option<Self::User>, Self::Error> {
        println!("authenticate");

        let user: Option<Self::User> = self.users.get(&creds.email).cloned();

        // Verifying the password is blocking and potentially slow, so we'll do so via
        // `spawn_blocking`.
        task::spawn_blocking(|| {
            // We're using password-based authentication--this works by comparing our form
            // input with an argon2 password hash.
            Ok(user.filter(|user| verify_password(creds.password, &user.password).is_ok()))
        })
        .await?
    }

    async fn get_user(&self, email: &UserId<Self>) -> Result<Option<Self::User>, Self::Error> {
        Ok(self.users.get(email).cloned())
    }
}

adauguet · November 13, 2025, 5:02pm

I think I know what might be happening: I am still using a HashMap to store users, instead of some proper DB. Password hash is recreated at start up, and is probably different every time, although I lack knowledge about argon2.

Topic		Replies	Views
Sessions not storing data help	2	100	May 25, 2025
How to make session persistent in Actix-web? help	5	1328	July 23, 2023
First very small Rust site + Question about remembering sessions in API code review	33	3114	December 25, 2020
Functions to implement sessions code review	10	1186	December 30, 2020
Problems keeping the session active help	1	60	December 1, 2024

Persisting sessions with axum-login and redis

Related topics