Security Advisories (1)

CVE-2026-9692 (2026-06-18)

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.

NAME

Mojolicious::Sessions::Storable - Storable session manager for Mojolicious

SYNOPSIS

use Mojolicious::Lite;
use Mojolicious::Sessions::Storable;

use Plack::Session::Store::File;

my $sessions = Mojolicious::Sessions::Storable->new(
    session_store => Plack::Session::Store::File->new
);

app->sessions($sessions);

DESCRIPTION

Mojolicious::Sessions::Storable is a storable session manager for Mojolicious.

OPTIONS

Mojolicious::Sessions::Storable inherits all options from Mojolicious::Sessions and supports the following new ones.

session_store

This is expected to be an instance of Plack::Session::Store or an object that implements the same interface. If no option is provided the default Mojolicious::Sessions will be used.

sid_generator

This is a CODE ref use to generate unique session ids. by default it will generate a SHA1 using fairly sufficient entropy.

METHODS

Mojolicious::Sessions::Storable inherits all methods from Mojolicious::Sessions.

AUTHOR

hayajo <hayajo@cpan.org>

COPYRIGHT

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)