/ 
Plack-Middleware-Session-Simple-0.05
River stage one • 2 direct dependents • 2 total dependents
⭐ Starred 1 GitHub stars
/ Plack::Middleware::Session::Simple
Security Advisories (1)
CVE-2025-40926 (2026-03-05)

Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.

NAME

Plack::Middleware::Session::Simple - Make Session Simple

SYNOPSIS

use Plack::Builder;
use Cache::Memcached::Fast;

my $app = sub {
    my $env = shift;
    my $counter = $env->{'psgix.session'}->{counter}++;
    [200,[], ["counter => $counter"]];
};

builder {
    enable 'Session::Simple',
        store => Cache::Memcached::Fast::Safe->new({servers=>[..]}),
        cookie_name => 'myapp_session';
    $app
};

DESCRIPTION

Plack::Middleware::Session::Simple is a yet another session management module. This middleware has compatibility with Plack::Middleware::Session by supporting psgix.session and psgi.session.options. You can reduce unnecessary accessing to store and Set-Cookie header.

This module uses Cookie to keep session state. does not support URI based session state.

OPTIONS

store

object instance that has get, set, and remove methods.

This is the name of the session key, it defaults to 'simple_session'.

keep_empty

If disabled, Plack::Middleware::Session::Simple does not output Set-Cookie header and store session until session are used. You can reduce Set-Cookie header and access to session store that is not required. (default: true/enabled)

builder {
    enable 'Session::Simple',
        store => Cache::Memcached::Fast::Safe->new({servers=>[..]}),
        cookie_name => 'myapp_session',
        keep_empty => 0;
    mount '/' => sub {
        my $env = shift;
        [200,[], ["ok"]];
    },
    mount '/login' => sub {
        my $env = shift;
        $env->{'psgix.session'}->{user} = 'session user'
        [200,[], ["login"]];
    },
};

my $res = $app->(req_to_psgi(GET "/")); #res does not have Set-Cookie
my $res = $app->(req_to_psgi(GET "/login")); #res has Set-Cookie

If you have a plan to use session_id as csrf token, you must not disable keep_empty.

path

Path of the cookie, this defaults to "/";

domain

Domain of the cookie, if nothing is supplied then it will not be included in the cookie.

expires

Cookie's expires date time. several formats are supported. see Cookie::Baker for details. if nothing is supplied then it will not be included in the cookie, which means the session expires per browser session.

secure

Secure flag for the cookie, if nothing is supplied then it will not be included in the cookie.

httponly

HttpOnly flag for the cookie, if nothing is supplied then it will not be included in the cookie.

sid_generator

CodeRef that used to generate unique session ids, by default it uses SHA1

sid_validator

Regexp that used to validate session id in Cookie

serializer

serialize,deserialize method. Optional. This is useful with Cache::FastMmap

my $cfm = Cache::FastMmap->new(raw_values => 1);
my $decoder = Sereal::Decoder->new();
my $encoder = Sereal::Encoder->new();
builder {
  enable 'Session::Simple',
      store => $fm,
      serializer => [ sub { $encoder->encode($_[0]) }, sub { $decoder->decode($_[0]) } ],
  $app;
};

LICENSE

Copyright (C) Masahiro Nagano.

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

AUTHOR

Masahiro Nagano <kazeburo@gmail.com>