/ 
http-session-0.53
⭐ Starred 16
Security Advisories (1)
CVE-2026-3256 (2026-03-28)

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.

Changes for version 0.53 - 2024-03-07

  • version up to fix PUUSE indexing problem.

Documentation

README.md

Modules

HTTP::Session
simple session
HTTP::Session::State::Cookie
Maintain session IDs using cookies
HTTP::Session::State::Null
nop
HTTP::Session::State::Test
state module for testing
HTTP::Session::State::URI
embed session id to uri
HTTP::Session::Store::CHI
store session data with CHI
HTTP::Session::Store::DBM
DBM session store
HTTP::Session::Store::File
File session store
HTTP::Session::Store::Memcached
store session data in memcached
HTTP::Session::Store::Null
dummy module for session store
HTTP::Session::Store::OnMemory
store session data on memory
HTTP::Session::Store::Test
store session data on memory for testing

Provides

HTTP::Session::Expired
in lib/HTTP/Session/Expired.pm
HTTP::Session::Finalized
in lib/HTTP/Session/Finalized.pm
HTTP::Session::ID::MD5
in lib/HTTP/Session/ID/MD5.pm
HTTP::Session::ID::SHA1
in lib/HTTP/Session/ID/SHA1.pm
HTTP::Session::ID::Urandom
in lib/HTTP/Session/ID/Urandom.pm
HTTP::Session::State::Base
in lib/HTTP/Session/State/Base.pm
HTTP::Session::State::Mixin::ResponseFilter
in lib/HTTP/Session/State/Mixin/ResponseFilter.pm

Examples

Other files