From 67ade781295e350f8de24f8fb0914ee449833141 Mon Sep 17 00:00:00 2001
From: Max Countryman <maxc@me.com>
Date: Mon, 15 Jan 2024 09:51:01 -0800
Subject: [PATCH] ensure warn on missing record

---
 tower-sessions-core/src/session.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tower-sessions-core/src/session.rs b/tower-sessions-core/src/session.rs
index 50eb0bb..0caeb9a 100644
--- a/tower-sessions-core/src/session.rs
+++ b/tower-sessions-core/src/session.rs
@@ -112,7 +112,12 @@ impl Session {
                         Some(loaded_record)
                     }
                     None => {
-                        tracing::trace!("record not found in store");
+                        // A well-behaved user agent should not send session cookies after
+                        // expiration. Even so it's possible for an expired session to be removed
+                        // after a request was initiated. However, such a race should be relatively
+                        // uncommon and as such entering this branch could indicate malicious
+                        // behavior.
+                        tracing::warn!("possibly suspicious activity: record not found in store");
                         *self.session_id.lock() = None;
                         Some(self.create_record())
                     }