Security Advisories (2)

CPANSA-Plack-Middleware-Session-2014-01 (2014-08-11)

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

CVE-2025-40923 (2025-07-16)

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Plack::Session::Store::DBI - DBI-based session store

SYNOPSIS

use Plack::Builder;
use Plack::Middleware::Session;
use Plack::Session::Store::DBI;

my $app = sub {
    return [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello Foo' ] ];
};

builder {
    enable 'Session',
        store => Plack::Session::Store::DBI->new(
            dbh => DBI->connect( @connect_args )
        );
    $app;
};

# set get_dbh callback for ondemand

builder {
    enable 'Session',
        store => Plack::Session::Store::DBI->new(
            get_dbh => sub { DBI->connect( @connect_args ) }
        );
    $app;
};

# with custom serializer/deserializer

builder {
    enable 'Session',
        store => Plack::Session::Store::DBI->new(
            dbh => DBI->connect( @connect_args )
            # YAML takes it's args the opposite order
            serializer   => sub { YAML::DumpFile( reverse @_ ) },
            deserializer => sub { YAML::LoadFile( @_ ) },
        );
    $app;
};

DESCRIPTION

This implements a DBI based storage for session data. By default it will use Storable and MIME::Base64 to serialize and deserialize the data, but this can be configured easily.

This is a subclass of Plack::Session::Store and implements its full interface.

SESSION TABLE SCHEMA

Your session table must have at least the following schema structure:

CREATE TABLE sessions (
    id           CHAR(72) PRIMARY KEY,
    session_data TEXT
);

Note that MySQL TEXT fields only store 64KB, so if your session data will exceed that size you'll want to move to MEDIUMTEXT, MEDIUMBLOB, or larger.

AUTHORS

Many aspects of this module were partially based upon Catalyst::Plugin::Session::Store::DBI

Daisuke Maki

COPYRIGHT AND LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install Plack::Middleware::Session, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Plack::Middleware::Session

CPAN shell

perl -MCPAN -e shell
install Plack::Middleware::Session

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)