Security Advisories (2)

CPANSA-Plack-Middleware-Session-2014-01 (2014-08-11)

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

CVE-2025-40923 (2025-07-16)

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Plack::Session::State::Cookie - Basic cookie-based session state

SYNOPSIS

use Plack::Builder;
use Plack::Middleware::Session;

my $app = sub {
    return [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello Foo' ] ];
};

builder {
    enable 'Session'; # Cookie is the default state
    $app;
};

DESCRIPTION

This is a subclass of Plack::Session::State and implements its full interface. This is the default state used in Plack::Middleware::Session.

METHODS

new ( %params ): The %params can include path, domain, expires, secure, and httponly options, as well as all the options accepted by Plack::Session::Store.
path: Path of the cookie, this defaults to "/";
domain: Domain of the cookie, if nothing is supplied then it will not be included in the cookie.
expires: Expiration time of the cookie in seconds, if nothing is supplied then it will not be included in the cookie, which means the session expires per browser session.
secure: Secure flag for the cookie, if nothing is supplied then it will not be included in the cookie.
httponly: HttpOnly flag for the cookie, if nothing is supplied then it will not be included in the cookie.

BUGS

All complex software has bugs lurking in it, and this module is no exception. If you find a bug please either email me, or add the bug to cpan-RT.

AUTHOR

Stevan Little <stevan.little@iinteractive.com>

COPYRIGHT AND LICENSE

http://www.iinteractive.com

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install Plack::Middleware::Session, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Plack::Middleware::Session

CPAN shell

perl -MCPAN -e shell
install Plack::Middleware::Session

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)