/ 
Plack-Middleware-Session-0.26
⭐ Starred 40
Security Advisories (1)
CVE-2025-40923 (2025-07-16)

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Changes for version 0.26 - 2015-02-03

  • Improved documentation (oalders, basiliscos, Mohammad Anwar, alexmv)
  • Session storage is now updated in the cleanup phase, after the streaming is complete (alexmv) #28

Modules

Plack::Middleware::Session
Middleware for session management
Plack::Middleware::Session::Cookie
Session middleware that saves session data in the cookie
Plack::Session
Middleware for session management
Plack::Session::Cleanup
Run code when the environment is destroyed
Plack::Session::State
Basic parameter-based session state
Plack::Session::State::Cookie
Basic cookie-based session state
Plack::Session::Store
Basic in-memory session store
Plack::Session::Store::Cache
Cache session store
Plack::Session::Store::DBI
DBI-based session store
Plack::Session::Store::File
Basic file-based session store
Plack::Session::Store::Null
Null store

Examples

Other files