/ 
Plack-Middleware-Session-0.21
⭐ Starred 40
/ Plack::Middleware::Session::Cookie
Security Advisories (2)
CPANSA-Plack-Middleware-Session-2014-01 (2014-08-11)

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

CVE-2025-40923 (2025-07-16)

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Plack::Middleware::Session::Cookie - Session middleware that saves session data in the cookie

SYNOPSIS

enable "Session::Cookie";

DESCRIPTION

This middleware component allows you to use the cookie as a sole cookie state and store, without any server side storage to do the session management. This middleware utilizes its own state and store automatically for you, so you can't override the objects.

CONFIGURATIONS

This middleware is a subclass of Plack::Middleware::Session and accepts most configuration of the parent class. In addition, following options are accepted.

secret

Server side secret to sign the session data using HMAC SHA1. Defaults to nothing (i.e. do not sign) but strongly recommended to set your own secret string.

session_key, domain, expires, path, secure, httponly

Accessors for the cookie attributes. See Plack::Session::State::Cookie for these options.

AUTHOR

Tatsuhiko Miyagawa

SEE ALSO

Rack::Session::Cookie Dancer::Session::Cookie