/ 
Apache-Session-1.94
River stage two • 34 direct dependents • 52 total dependents
/ Apache::Session::Store::DB_File
Security Advisories (1)
CVE-2025-40931 (2026-03-05)

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Apache::Session::Store::DB_File - Use DB_File to store persistent objects

SYNOPSIS

use Apache::Session::Store::DB_File;

my $store = new Apache::Session::Store::DB_File;

$store->insert($ref);
$store->update($ref);
$store->materialize($ref);
$store->remove($ref);

DESCRIPTION

This module fulfills the storage interface of Apache::Session. The serialized objects are stored in a Berkeley DB file using the DB_File Perl module. If DB_File works on your platform, this module should also work.

OPTIONS

This module requires one argument in the usual Apache::Session style. The name of the option is FileName, and the value is the full path of the database file to be used as the backing store. If the database file does not exist, it will be created. Example:

tie %s, 'Apache::Session::DB_File', undef,
   {FileName => '/tmp/sessions'};

AUTHOR

This module was written by Jeffrey William Baker <jwbaker@acm.org>.

SEE ALSO

Apache::Session, DB_File