/ 
Apache-Session-0.16
River stage two • 34 direct dependents • 52 total dependents
/ Apache::Session::Win32
Security Advisories (1)
CVE-2025-40931 (2026-03-05)

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Apache::Session::Win32 - Store client sessions in a global hash

SYNOPSIS

use Apache::Session::Win32

DESCRIPTION

This is a Win32 storage subclass for Apache::Session. Client state is stored in a global hash. Since Win32 Apache is multithreaded instead of multiprocess, this actually works and is extremely quick. Try perldoc Session for more info.

INSTALLATION

Follow the installation instructions from Apache::Session.

Environment

Apache::Session::Win32 does not define any environment variables beyond those defined by Apache::Session.

USAGE

This package complies with the API defined by Apache::Session. For details, please see that package's documentation.

This package installs an entry on the Apache::Status menu which will let you monitor sessions in real-time.

AUTHORS

Jeffrey Baker <jeff@godzilla.tamu.edu>, author and maintainer.

Redistribute under the Perl Artistic License.