File Coverage

blib/lib/Apache/Session/Generate/MD5.pm
Criterion Covered Total %
statement 18 18 100.0
branch 4 4 100.0
condition n/a
subroutine 5 5 100.0
pod 0 2 0.0
total 27 29 93.1


line stmt bran cond sub pod time code
1             #############################################################################
2             #
3             # Apache::Session::Generate::MD5;
4             # Generates session identifier tokens using MD5
5             # Copyright(c) 2000, 2001 Jeffrey William Baker (jwbaker@acm.org)
6             # Distribute under the Perl License
7             #
8             ############################################################################
9              
10             package Apache::Session::Generate::MD5;
11              
12 3     3   1689 use strict;
  3         7  
  3         122  
13 3     3   15 use vars qw($VERSION);
  3         6  
  3         125  
14 3     3   14 use Digest::MD5;
  3         7  
  3         1229  
15              
16             $VERSION = '2.12';
17              
18             sub generate {
19 33     33 0 24564 my $session = shift;
20 33         118 my $length = 32;
21            
22 33 100       165 if (exists $session->{args}->{IDLength}) {
23 28         51 $length = $session->{args}->{IDLength};
24             }
25            
26 33         668 $session->{data}->{_session_id} =
27             substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, $length);
28            
29              
30             }
31              
32             sub validate {
33             #This routine checks to ensure that the session ID is in the form
34             #we expect. This must be called before we start diddling around
35             #in the database or the disk.
36              
37 2     2 0 4 my $session = shift;
38            
39 2 100       17 if ($session->{data}->{_session_id} =~ /^([a-fA-F0-9]+)$/) {
40 1         7 $session->{data}->{_session_id} = $1;
41             } else {
42 1         14 die "Invalid session ID: ".$session->{data}->{_session_id};
43             }
44             }
45              
46             1;
47              
48             =pod
49              
50             =head1 NAME
51              
52             Apache::Session::Generate::MD5 - Use MD5 to create random object IDs
53              
54             =head1 SYNOPSIS
55              
56             use Apache::Session::Generate::MD5;
57              
58             $id = Apache::Session::Generate::MD5::generate();
59              
60             =head1 DESCRIPTION
61              
62             This module fulfills the ID generation interface of Apache::Session. The
63             IDs are generated using a two-round MD5 of a random number, the time since the
64             epoch, the process ID, and the address of an anonymous hash. The resultant ID
65             number is highly entropic on Linux and other platforms that have good
66             random number generators. You are encouraged to investigate the quality of
67             your system's random number generator if you are using the generated ID
68             numbers in a secure environment.
69              
70             This module can also examine session IDs to ensure that they are, indeed,
71             session ID numbers and not evil attacks. The reader is encouraged to
72             consider the effect of bogus session ID numbers in a system which uses
73             these ID numbers to access disks and databases.
74              
75             This modules takes one argument in the usual Apache::Session style. The
76             argument is IDLength, and the value, between 0 and 32, tells this module
77             where to truncate the session ID. Without this argument, the session ID will
78             be 32 hexadecimal characters long, equivalent to a 128-bit key.
79              
80             =head1 AUTHOR
81              
82             This module was written by Jeffrey William Baker <jwbaker@acm.org>.
83              
84             =head1 SEE ALSO
85              
86             L<Apache::Session>