/ 
Starch-0.06
⭐ Starred 3
/ Starch
Security Advisories (1)
CVE-2025-40925 (2025-09-20)

Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Starch - Implementation independent persistent statefulness.

SYNOPSIS

my $starch = Starch->new(
    expires => 60 * 15, # 15 minutes
    store => {
        class   => '::Memory',
    },
); # Returns a Starch::Manager object.

my $new_state = $starch->state();
my $existing_state = $starch->sate( $id );

DESCRIPTION

This module provides the main entry point to Starch and provides the new method for constructing new Starch::Manager objects.

Starch documentation can be found at Starch::Manual.

AUTHOR

Aran Clary Deltac <bluefeet@gmail.com>

CONTRIBUTORS

  • Arthur Axel "fREW" Schmidt <frioux+cpan@gmail.com>

ACKNOWLEDGEMENTS

Thanks to ZipRecruiter for encouraging their employees to contribute back to the open source ecosystem. Without their dedication to quality software development this distribution would not exist.

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.