/ 
Catalyst-Plugin-Session-0.21
River stage three • 78 direct dependents • 174 total dependents
/ Catalyst::Plugin::Session::State
Security Advisories (1)
CVE-2025-40924 (2025-07-17)

Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Catalyst::Plugin::Session::State - Base class for session state preservation plugins.

SYNOPSIS

package Catalyst::Plugin::Session::State::MyBackend;
use base qw/Catalyst::Plugin::Session::State/;

DESCRIPTION

This class doesn't actually provide any functionality, but when the Catalyst::Plugin::Session module sets up it will check to see that YourApp->isa("Catalyst::Plugin::Session::State").

When you write a session state plugin you should subclass this module this reason only.

WRITING STATE PLUGINS

To write a session state plugin you usually need to extend two methods:

prepare_(action|cookies|whatever)

Set sessionid (accessor) at prepare time using data in the request.

Note that this must happen before other prepare_action instances, in order to get along with Catalyst::Plugin::Session. Overriding prepare_cookies is probably the stablest approach.

finalize

Modify the response at to include the session ID if sessionid is defined, using whatever scheme you use. For example, set a cookie,