Security Advisories (2)

CPANSA-Plack-Middleware-Session-2014-01 (2014-08-11)

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

CVE-2025-40923 (2025-07-16)

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Plack::Session::Store - Basic in-memory session store

SYNOPSIS

use Plack::Builder;
use Plack::Middleware::Session;
use Plack::Session::Store;

my $app = sub {
    return [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello Foo' ] ];
};

builder {
    enable 'Session'; # this is the defalt store
    $app;
};

DESCRIPTION

This is a very basic in-memory session data store. It is volatile storage and not recommended for multiprocessing environments. However it is very useful for development and testing.

This should be considered the store "base" class (although subclassing is not a requirement) and defines the spec for all Plack::Session::Store::* modules. You will only need to override a couple methods if you do subclass. See the other Plack::Session::Store::* for examples of this.

METHODS

new ( %params ): No parameters are expected to this constructor.

Session Data Management

These methods fetch data from the session storage. It's designed to store or delete multiple keys at a time.

fetch ( $session_id )
store ( $session_id, $session )

Storage Management

remove ( $session_id ): This method is called by the Plack::Session expire method and is used to remove any session data.

BUGS

All complex software has bugs lurking in it, and this module is no exception. If you find a bug please either email me, or add the bug to cpan-RT.

AUTHOR

Stevan Little <stevan.little@iinteractive.com>

COPYRIGHT AND LICENSE

http://www.iinteractive.com

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install Plack::Middleware::Session, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Plack::Middleware::Session

CPAN shell

perl -MCPAN -e shell
install Plack::Middleware::Session

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)