File Coverage

blib/lib/Apache/Session/Generate/MD5.pm

Criterion	Covered	Total	%
statement	18	18	100.0
branch	4	4	100.0
condition			n/a
subroutine	5	5	100.0
pod	0	2	0.0
total	27	29	93.1

line	stmt	bran	sub	pod	time	code
1						#############################################################################
2						#
3						# Apache::Session::Generate::MD5;
4						# Generates session identifier tokens using MD5
5						# Copyright(c) 2000, 2001 Jeffrey William Baker (jwbaker@acm.org)
6						# Distribute under the Perl License
7						#
8						############################################################################
9
10						package Apache::Session::Generate::MD5;
11
12	3		3		1689	use strict;
	3				7
	3				122
13	3		3		15	use vars qw($VERSION);
	3				6
	3				125
14	3		3		14	use Digest::MD5;
	3				7
	3				1229
15
16						$VERSION = '2.12';
17
18						sub generate {
19	33		33	0	24564	my $session = shift;
20	33				118	my $length = 32;
21
22	33	100			165	if (exists $session->{args}->{IDLength}) {
23	28				51	$length = $session->{args}->{IDLength};
24						}
25
26	33				668	$session->{data}->{_session_id} =
27						substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, $length);
28
29
30						}
31
32						sub validate {
33						#This routine checks to ensure that the session ID is in the form
34						#we expect. This must be called before we start diddling around
35						#in the database or the disk.
36
37	2		2	0	4	my $session = shift;
38
39	2	100			17	if ($session->{data}->{_session_id} =~ /^([a-fA-F0-9]+)$/) {
40	1				7	$session->{data}->{_session_id} = $1;
41						} else {
42	1				14	die "Invalid session ID: ".$session->{data}->{_session_id};
43						}
44						}
45
46						1;
47
48						=pod
49
50						=head1 NAME
51
52						Apache::Session::Generate::MD5 - Use MD5 to create random object IDs
53
54						=head1 SYNOPSIS
55
56						use Apache::Session::Generate::MD5;
57
58						$id = Apache::Session::Generate::MD5::generate();
59
60						=head1 DESCRIPTION
61
62						This module fulfills the ID generation interface of Apache::Session. The
63						IDs are generated using a two-round MD5 of a random number, the time since the
64						epoch, the process ID, and the address of an anonymous hash. The resultant ID
65						number is highly entropic on Linux and other platforms that have good
66						random number generators. You are encouraged to investigate the quality of
67						your system's random number generator if you are using the generated ID
68						numbers in a secure environment.
69
70						This module can also examine session IDs to ensure that they are, indeed,
71						session ID numbers and not evil attacks. The reader is encouraged to
72						consider the effect of bogus session ID numbers in a system which uses
73						these ID numbers to access disks and databases.
74
75						This modules takes one argument in the usual Apache::Session style. The
76						argument is IDLength, and the value, between 0 and 32, tells this module
77						where to truncate the session ID. Without this argument, the session ID will
78						be 32 hexadecimal characters long, equivalent to a 128-bit key.
79
80						=head1 AUTHOR
81
82						This module was written by Jeffrey William Baker <jwbaker@acm.org>.
83
84						=head1 SEE ALSO
85
86						L<Apache::Session>