/ 
Apache-Session-1.94
River stage two • 34 direct dependents • 52 total dependents
/ Apache::Session::MySQL::NoLock
Security Advisories (1)
CVE-2025-40931 (2026-03-05)

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Apache::Session::MySQL::NoLock - An implementation of Apache::Session::MySQL without locking

SYNOPSIS

use Apache::Session::MySQL::NoLock;

#if you want Apache::Session to open new DB handles:

tie %hash, 'Apache::Session::MySQL::NoLock', $id, {
   DataSource => 'dbi:mysql:sessions',
   UserName => $db_user,
   Password => $db_pass,
};

#or, if your handles are already opened:

tie %hash, 'Apache::Session::MySQL::NoLock', $id, {
   Handle => $dbh,
};

To configure the non-locking session store in RT (what I use this module for),
put the following into your C<RT_SiteConfig.pm> module:

   Set($WebSessionClass , 'Apache::Session::MySQL::NoLock');

DESCRIPTION

This module is an implementation of Apache::Session. It uses the MySQL backing store and the Null locking scheme. See the example, and the documentation for Apache::Session::Store::MySQL for more details.

WARNING

This module explicitly DOES NOT DO ANY LOCKING. This can cause your session data to be overwritten or stale data to be read by subsequent requests.

This CAN CAUSE LARGE PROBLEMS IN YOUR APPLICATION.

AUTHOR

This module was written by Tomas Doran <bobtfish@bobtfish.net>.

SEE ALSO

Apache::Session::MySQL, Apache::Session::Flex, Apache::Session