/ 
Catalyst-Plugin-Session-0.42
River stage three • 78 direct dependents • 174 total dependents
Security Advisories (1)
CVE-2025-40924 (2025-07-17)

Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Changes for version 0.42 - 2022-05-31

  • revised packaging
  • correctly specify test prerequisites as test prerequisites
  • drop unused Test::Exception prereq
  • drop Tie::RefHash prereq that was not used directly
  • only run pod tests for authors
  • ensure all optional tests are run by authors
  • drop use of Test::WWW::Mechanize::PSGI and Test::WWW::Mechanize::Catalyst in favor of a simpler user agent

Documentation

Catalyst::Plugin::Session::Tutorial
Understanding and using sessions.

Modules

Catalyst::Plugin::Session
Generic Session plugin - ties together server side storage and client side state required to maintain session data.
Catalyst::Plugin::Session::State
Base class for session state preservation plugins.
Catalyst::Plugin::Session::Store
Base class for session storage drivers.
Catalyst::Plugin::Session::Store::Dummy
Doesn't really store sessions - useful for tests.
Catalyst::Plugin::Session::Test::Store
Reusable sanity for session storage engines.

Other files