Security Advisories (1)

CVE-2025-40931 (2026-03-05)

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Apache::Session::DB_File - An implementation of Apache::Session

SYNOPSIS

use Apache::Session::DB_File;

tie %hash, 'Apache::Session::DB_File', $id, {
   FileName      => 'sessions.db',
   LockDirectory => '/var/lock/sessions',
};

DESCRIPTION

This module is an implementation of Apache::Session. It uses the DB_File backing store and the File locking scheme. You must specify the filename of the database file and the directory for locking in arguments to the constructor. See the example, and the documentation for Apache::Session::Store::DB_File and Apache::Session::Lock::File.

AUTHOR

This module was written by Jeffrey William Baker <jwbaker@acm.org>.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

AUTHOR

SEE ALSO

Module Install Instructions