/ 
Plack-Middleware-Session-0.21
River stage two • 46 direct dependents • 79 total dependents
⭐ Starred 40 GitHub stars
/ Plack::Session::Store::Cache
Security Advisories (2)
CPANSA-Plack-Middleware-Session-2014-01 (2014-08-11)

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

CVE-2025-40923 (2025-07-16)

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Plack::Session::Store::Cache - Cache session store

SYNOPSIS

use Plack::Builder;
use Plack::Session::Store::Cache;
use CHI;

my $app = sub {
    return [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello Foo' ] ];
};

builder {
    enable 'Session',
        store => Plack::Session::Store::Cache->new(
            cache => CHI->new(driver => 'FastMmap')
        );
    $app;
};

DESCRIPTION

This will persist session data using any module which implements the Cache interface. This offers a lot of flexibility due to the many excellent Cache, Cache::Cache and CHI drivers available.

This is a subclass of Plack::Session::Store and implements its full interface.

METHODS

new ( %params )

The constructor expects the cache param to be an object instance which has the get, set, and remove methods, it will throw an exception if that is not the case.

cache

A simple accessor for the cache handle.

BUGS

All complex software has bugs lurking in it, and this module is no exception. If you find a bug please either email me, or add the bug to cpan-RT.

AUTHOR

Masahiro Chiba