/ 
Plack-Middleware-Session-0.09_02
Security Advisories (2)
CPANSA-Plack-Middleware-Session-2014-01 (2014-08-11)

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

CVE-2025-40923 (2025-07-16)

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Changes for version 0.09_02 - 2010-01-30

  • Fixed a bug in Cookie serialization where it breaks the response headers generated by applications (tomyhero)

Changes for version 0.09_01 - 2010-01-30

  • Reworked the internal code and API a lot, so Session persistence and retrieval are handled in a more stateless way
  • INCOMPATIBLE: psgix.session is now a hash reference rather than an object. If you need an object like before, do: use Plack::Session; $session = Plack::Session->new($env);
  • Added Plack::Middleware::Session::Cookie which uses CookieStore
  • Updated Cookie handling code to work with Plack 0.99 and later

Modules

Plack::Middleware::Session
Middleware for session management
Plack::Middleware::Session::Cookie
Session middleware that saves session data in the cookie
Plack::Session
Middleware for session management
Plack::Session::State
Basic parameter-based session state
Plack::Session::State::Cookie
Basic cookie-based session state
Plack::Session::Store
Basic in-memory session store
Plack::Session::Store::Cache
Cache session store
Plack::Session::Store::File
Basic file-based session store
Plack::Session::Store::Null
Null store

Examples

Other files