Security Advisories (1)

CVE-2025-40924 (2025-07-17)

Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Take me over?

The maintainer of this distribution is looking for someone to take over! If you're interested then please contact them via email.

NAME

Catalyst::Plugin::Session::Store - Base class for session storage drivers.

SYNOPSIS

package Catalyst::Plugin::Session::Store::MyBackend;
use base qw/Catalyst::Plugin::Session::Store/;

DESCRIPTION

This class doesn't actually provide any functionality, but when the Catalyst::Plugin::Session module sets up it will check to see that YourApp->isa("Catalyst::Plugin::Session::Store").

When you write a session storage plugin you should subclass this module this reason only.

WRITING STORE PLUGINS

All session storage plugins need to adhere to the following interface specification to work correctly:

Required Methods

get_session_data $sid

Retrieve a session from storage, whose ID is the first parameter.

Should return a hash reference.

store_session_data $sid, $hashref

Store a session whose ID is the first parameter and data is the second parameter in storage.

The second parameter is an hash reference, that should normally be serialized (and later deserialized by get_session_data).

delete_session_data $sid

Delete the session whose ID is the first parameter.

delete_expired_sessions

This method is not called by any code at present, but may be called in the future, as part of a catalyst specific maintenance script.

If you are wrapping around a backend which manages it's own auto expiry you can just give this method an empty body.

Error handling

All errors should be thrown using Catalyst::Exception. Return values are not checked at all, and are assumed to be OK.

Auto-Expirey on the Backend

Storage plugins are encouraged to use $c->config->{session}{expires} and the __expires key in the session data hash reference to auto expire data on the backend side.

If the backend chooses not to do so, Catalyst::Plugin::Session will detect expired sessions as they are retrieved and delete them if necessary.

Note that session storages that use this approach may leak disk space, since nothing will actively delete expired session. The delete_expired_sessions method is there so that regularly scheduled maintenance scripts can give your backend the opportunity to clean up.

To install Catalyst::Plugin::Session, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Catalyst::Plugin::Session

CPAN shell

perl -MCPAN -e shell
install Catalyst::Plugin::Session

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)