/ 
Plack-Middleware-Session-0.17
Security Advisories (2)
CPANSA-Plack-Middleware-Session-2014-01 (2014-08-11)

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

CVE-2025-40923 (2025-07-16)

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Changes for version 0.17 - 2013-02-11

  • Use constant time comparison of HMAC signature to be precautious for timing attacks

Modules

Plack::Middleware::Session
Middleware for session management
Plack::Middleware::Session::Cookie
Session middleware that saves session data in the cookie
Plack::Session
Middleware for session management
Plack::Session::State
Basic parameter-based session state
Plack::Session::State::Cookie
Basic cookie-based session state
Plack::Session::Store
Basic in-memory session store
Plack::Session::Store::Cache
Cache session store
Plack::Session::Store::DBI
DBI-based session store
Plack::Session::Store::File
Basic file-based session store
Plack::Session::Store::Null
Null store

Examples

Other files