/ 
Catalyst-Plugin-Session-0.02
River stage two • 75 direct dependents • 99 total dependents
Security Advisories (1)
CVE-2025-40924 (2025-07-17)

Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Modules

Catalyst::Plugin::Session
Generic Session plugin - ties together server side storage and client side state required to maintain session data.
Catalyst::Plugin::Session::State
Base class for session state preservation plugins.
Catalyst::Plugin::Session::Store
Base class for session storage drivers.
Catalyst::Plugin::Session::Store::Dummy
Doesn't really store sessions - useful for tests.
Catalyst::Plugin::Session::Test::Store
Reusable sanity for session storage engines.

Provides

SessionStoreTest
in lib/Catalyst/Plugin/Session/Test/Store.pm
SessionStoreTest2
in lib/Catalyst/Plugin/Session/Test/Store.pm
t1
in lib/Catalyst/Plugin/Session/Test/Store.pm
t2
in lib/Catalyst/Plugin/Session/Test/Store.pm

Other files