/ 
http-session-0.53
⭐ Starred 16 / HTTP::Session::State::Cookie
Security Advisories (1)
CVE-2026-3256 (2026-03-28)

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.

NAME

HTTP::Session::State::Cookie - Maintain session IDs using cookies

SYNOPSIS

HTTP::Session->new(
    state => HTTP::Session::State::Cookie->new(
        name   => 'foo_sid',
        path   => '/my/',
        domain => 'example.com,
    ),
    store => ...,
    request => ...,
);

DESCRIPTION

Maintain session IDs using cookies

CONFIGURATION

name

cookie name.

default: http_session_sid
path

path.

default: /
domain
default: undef
expires

expiration date.e.g. "+3M". see also CGI::Cookie.

default: undef
secure

Set secure flag or not.

default: undef

METHODS

header_filter($res)

header filter

get_session_id
response_filter

for internal use only

HOW TO USE YOUR OWN CGI::Simple::Cookie?

use HTTP::Session::State::Cookie;
BEGIN {
$HTTP::Session::State::Cookie::COOKIE_CLASS = 'CGI/Simple/Cookie.pm';
}

SEE ALSO

HTTP::Session, CGI::Cookie, CGI::Simple::Cookie