diff --git a/Cargo.lock b/Cargo.lock
index bb28cbc..c5fc563 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -390,24 +390,6 @@ dependencies = [
  "time 0.3.11",
 ]
 
-[[package]]
-name = "actix-session"
-version = "0.6.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c9138a66462f1e65da829f9c0de81b44a96dfe193a4f19bfea32ee2be312368"
-dependencies = [
- "actix-service",
- "actix-utils",
- "actix-web",
- "anyhow",
- "async-trait",
- "derive_more",
- "serde",
- "serde_json",
- "time 0.3.11",
- "tracing",
-]
-
 [[package]]
 name = "actix-session"
 version = "0.7.0"
@@ -1136,7 +1118,7 @@ name = "basics"
 version = "1.0.0"
 dependencies = [
  "actix-files",
- "actix-session 0.5.0",
+ "actix-session 0.7.0",
  "actix-web",
  "async-stream",
  "env_logger 0.9.0",
@@ -1677,7 +1659,7 @@ dependencies = [
 name = "cookie-session"
 version = "1.0.0"
 dependencies = [
- "actix-session 0.6.2",
+ "actix-session 0.7.0",
  "actix-web",
  "env_logger 0.9.0",
  "log",
@@ -6207,7 +6189,7 @@ name = "todo"
 version = "1.0.0"
 dependencies = [
  "actix-files",
- "actix-session 0.5.0",
+ "actix-session 0.7.0",
  "actix-web",
  "actix-web-lab",
  "dotenv",
diff --git a/auth/cookie-session/Cargo.toml b/auth/cookie-session/Cargo.toml
index 5117c3e..6a873b5 100644
--- a/auth/cookie-session/Cargo.toml
+++ b/auth/cookie-session/Cargo.toml
@@ -5,6 +5,6 @@ edition = "2021"
 
 [dependencies]
 actix-web = "4"
-actix-session = { version = "0.6", features = ["cookie-session"] }
+actix-session = { version = "0.7", features = ["cookie-session"] }
 log = "0.4"
 env_logger = "0.9"
diff --git a/basics/basics/Cargo.toml b/basics/basics/Cargo.toml
index 6135ad5..0e79abf 100644
--- a/basics/basics/Cargo.toml
+++ b/basics/basics/Cargo.toml
@@ -4,9 +4,9 @@ version = "1.0.0"
 edition = "2021"
 
 [dependencies]
-actix-web = "4"
 actix-files = "0.6"
-actix-session = "0.5"
+actix-session = { version = "0.7", features = ["cookie-session"] }
+actix-web = "4"
 
 async-stream = "0.3"
 env_logger = "0.9"
diff --git a/basics/basics/src/main.rs b/basics/basics/src/main.rs
index 6f47aae..305d125 100644
--- a/basics/basics/src/main.rs
+++ b/basics/basics/src/main.rs
@@ -1,8 +1,7 @@
-use std::convert::Infallible;
-use std::io;
+use std::{convert::Infallible, io};
 
 use actix_files::{Files, NamedFile};
-use actix_session::{CookieSession, Session};
+use actix_session::{storage::CookieSessionStore, Session, SessionMiddleware};
 use actix_web::{
     error, get,
     http::{
@@ -13,6 +12,9 @@ use actix_web::{
 };
 use async_stream::stream;
 
+// NOTE: Not a suitable session key for production.
+static SESSION_SIGNING_KEY: &[u8] = &[0; 64];
+
 /// favicon handler
 #[get("/favicon")]
 async fn favicon() -> Result<impl Responder> {
@@ -76,14 +78,21 @@ async fn with_param(req: HttpRequest, path: web::Path<(String,)>) -> HttpRespons
 async fn main() -> io::Result<()> {
     env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
 
+    // random key means that restarting server will invalidate existing session cookies
+    let key = actix_web::cookie::Key::from(SESSION_SIGNING_KEY);
+
     log::info!("starting HTTP server at http://localhost:8080");
 
-    HttpServer::new(|| {
+    HttpServer::new(move || {
         App::new()
             // enable automatic response compression - usually register this first
             .wrap(middleware::Compress::default())
             // cookie session middleware
-            .wrap(CookieSession::signed(&[0; 32]).secure(false))
+            .wrap(
+                SessionMiddleware::builder(CookieSessionStore::default(), key.clone())
+                    .cookie_secure(false)
+                    .build(),
+            )
             // enable logger - always register Actix Web Logger middleware last
             .wrap(middleware::Logger::default())
             // register favicon
diff --git a/basics/todo/Cargo.toml b/basics/todo/Cargo.toml
index ce584df..2fffe9d 100644
--- a/basics/todo/Cargo.toml
+++ b/basics/todo/Cargo.toml
@@ -5,7 +5,7 @@ edition = "2021"
 
 [dependencies]
 actix-files = "0.6"
-actix-session = "0.5"
+actix-session = { version = "0.7", features = ["cookie-session"] }
 actix-web = "4"
 actix-web-lab = "0.16"
 
diff --git a/basics/todo/src/main.rs b/basics/todo/src/main.rs
index 52a463e..938f194 100644
--- a/basics/todo/src/main.rs
+++ b/basics/todo/src/main.rs
@@ -1,7 +1,7 @@
 use std::{env, io};
 
 use actix_files::Files;
-use actix_session::CookieSession;
+use actix_session::{storage::CookieSessionStore, SessionMiddleware};
 use actix_web::{
     http,
     middleware::{ErrorHandlers, Logger},
@@ -15,13 +15,16 @@ mod db;
 mod model;
 mod session;
 
-static SESSION_SIGNING_KEY: &[u8] = &[0; 32];
+// NOTE: Not a suitable session key for production.
+static SESSION_SIGNING_KEY: &[u8] = &[0; 64];
 
 #[actix_web::main]
 async fn main() -> io::Result<()> {
     dotenv().ok();
     env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
 
+    let key = actix_web::cookie::Key::from(SESSION_SIGNING_KEY);
+
     let database_url = env::var("DATABASE_URL").expect("DATABASE_URL must be set");
     let pool = db::init_pool(&database_url)
         .await
@@ -35,7 +38,9 @@ async fn main() -> io::Result<()> {
         let mut templates = Tera::new("templates/**/*").expect("errors in tera templates");
         templates.autoescape_on(vec!["tera"]);
 
-        let session_store = CookieSession::signed(SESSION_SIGNING_KEY).secure(false);
+        let session_store = SessionMiddleware::builder(CookieSessionStore::default(), key.clone())
+            .cookie_secure(false)
+            .build();
 
         let error_handlers = ErrorHandlers::new()
             .handler(
diff --git a/basics/todo/src/session.rs b/basics/todo/src/session.rs
index 24edf66..5230549 100644
--- a/basics/todo/src/session.rs
+++ b/basics/todo/src/session.rs
@@ -5,11 +5,11 @@ use serde::{Deserialize, Serialize};
 const FLASH_KEY: &str = "flash";
 
 pub fn set_flash(session: &Session, flash: FlashMessage) -> Result<()> {
-    session.insert(FLASH_KEY, flash)
+    Ok(session.insert(FLASH_KEY, flash)?)
 }
 
 pub fn get_flash(session: &Session) -> Result<Option<FlashMessage>> {
-    session.get::<FlashMessage>(FLASH_KEY)
+    Ok(session.get::<FlashMessage>(FLASH_KEY)?)
 }
 
 pub fn clear_flash(session: &Session) {