NAME

Dancer::Plugin::SecureSessionID - A secure replacement of Dancer's built-in session id generator

VERSION

Version 0.02

SYNOPSIS

use Dancer::Plugin::SecureSessionID;

use_secure_session_id;

DESCRIPTION

This plugin overrides the build_id() method in Dancer::Session::Abstract and make use of Crypt::OpenSSL::Random to get really secure random session ids.

METHODS

`use_secure_session_id([ %options ])`

In a previous version of the module, the options ware passed into Crypt::Random::makerandom_octet(...). For compatibility reasons, the option-keys Strength, Length and Skip are still valid. Other option-keys are no longer supported.

The defaults are Strength=1 and Length=16. These options can be set with plugin settings, too.

use_secure_session_id(Length => 20, Uniform => 1, Skip => 512);

same as:

plugins:
  SecureSessionID:
    Length: 20
    Uniform: 1
    Skip: 512

The result is encoded with base64url(). A length of 16 random bytes results in 22 characters.

SECURITY WARNING

Any session module which does not override build_id() make profit from this plugin. This behaviour may change in future. Don't rely on it without auditing the source code of the affected session modules. By now, both the Simple and YAML session engines (shipped with the Dancer package) do not override build_id so this plugin works as expected.

Addtionally, mind the blocking behaviour when Strength=1 is requested. If your application blocks, you can set the Strength option to 0. This may be a lack of security but it helps to improve performance. Since your application cause network traffic, the entropy pool will be recharged often enough to never get stalled. See also the manpage of your random device.

AUTHOR

David Zurborg, <zurborg@cpan.org>

BUGS

Please report any bugs or feature requests trough my project management tool at http://development.david-zurb.org/projects/libdancer-plugin-securesessionid/issues/new. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

perldoc Dancer::Plugin::SecureSessionID

You can also look for information at:

Redmine: Homepage of this module

http://development.david-zurb.org/projects/libdancer-plugin-securesessionid
RT: CPAN's request tracker

http://rt.cpan.org/NoAuth/Bugs.html?Dist=Dancer-Plugin-SecureSessionID
AnnoCPAN: Annotated CPAN documentation

http://annocpan.org/dist/Dancer-Plugin-SecureSessionID
CPAN Ratings

http://cpanratings.perl.org/d/Dancer-Plugin-SecureSessionID
Search CPAN

http://search.cpan.org/dist/Dancer-Plugin-SecureSessionID/

COPYRIGHT & LICENSE

This program is released under the following license: open-source

To install Dancer::Plugin::SecureSessionID, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Dancer::Plugin::SecureSessionID

CPAN shell

perl -MCPAN -e shell
install Dancer::Plugin::SecureSessionID

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)