File Coverage

blib/lib/Dancer/Plugin/SecureSessionID.pm

Criterion	Covered	Total	%
statement	16	18	88.8
branch			n/a
condition			n/a
subroutine	6	6	100.0
pod			n/a
total	22	24	91.6

line	stmt	sub	time	code
1				package Dancer::Plugin::SecureSessionID;
2
3	3	3	479154	use Modern::Perl;
	3		35478
	3		20
4
5	3	3	546	use Carp 'croak';
	3		6
	3		143
6	3	3	2471	use Dancer ':syntax';
	3		587111
	3		22
7	3	3	4651	use Dancer::Plugin;
	3		4778
	3		238
8	3	3	7561	use Dancer::Session::Abstract ();
	3		3163
	3		61
9	3	3	165183	use Crypt::Random ();
	0
	0
10				use MIME::Base64 ();
11
12				=head1 NAME
13
14				Dancer::Plugin::SecureSessionID - Dancer-Plugin-SecureSessionID
15
16				=head1 VERSION
17
18				Version 0.01
19
20				=cut
21
22				our $VERSION = '0.01';
23
24				=head1 SYNOPSIS
25
26				use Dancer::Plugin::SecureSessionID;
27
28				use_secure_session_id;
29
30				=head1 DESCRIPTION
31
32				This plugin overrides the C method in L and make use of L to get really secure random session ids.
33
34				=head1 METHODS
35
36				=head2 C<< use_secure_session_id([ %options ]) >>
37
38				The options are passed into C, so any option described in L are valid here. The defaults are Strength=1 and Length=16. These options can be set with plugin settings, too.
39
40				use_secure_session_id(Length => 20, Uniform => 1, Skip => 512);
41
42				same as:
43
44				plugins:
45				SecureSessionID:
46				Length: 20
47				Uniform: 1
48				Skip: 512
49
50				The result is encoded with C. A length of 16 random bytes results in 22 characters.
51
52				=cut
53
54				register use_secure_session_id => sub {
55				my %options = (
56				Length => 16,
57				Strength => 1,
58				%{ plugin_setting \|\| {} },
59				@_
60				);
61				no strict 'refs';
62				undef *{'Dancer::Session::Abstract::build_id'};
63				*{'Dancer::Session::Abstract::build_id'} = sub {
64				my $r = Crypt::Random::makerandom_octet(%options);
65				return MIME::Base64::encode_base64url($r,'');
66				};
67				use strict 'refs';
68				};
69
70				=head1 SECURITY WARNING
71
72				Any session module which does not override C make profit from this plugin. This behaviour may change in future. Don't rely on it without auditing the source code of the affected session modules. By now, both the Simple and YAML session engines (shipped with the Dancer package) do not override C so this plugin works as expected.
73
74				Addtionally, mind the section about blocking behaviour in the documentation of L. If you app blocks, you can set the C option to 0. This may be a lack of security but it helps to improve performance. Since your app cause network traffic, the entropy pool will be recharched often enough to never get blocked. See also L.
75
76				=head1 AUTHOR
77
78				David Zurborg, C<< >>
79
80				=head1 BUGS
81
82				Please report any bugs or feature requests trough my project management tool
83				at L. I
84				will be notified, and then you'll automatically be notified of progress on
85				your bug as I make changes.
86
87				=head1 SUPPORT
88
89				You can find documentation for this module with the perldoc command.
90
91				perldoc Dancer::Plugin::SecureSessionID
92
93				You can also look for information at:
94
95				=over 4
96
97				=item * Redmine: Homepage of this module
98
99				L
100
101				=item * RT: CPAN's request tracker
102
103				L
104
105				=item * AnnoCPAN: Annotated CPAN documentation
106
107				L
108
109				=item * CPAN Ratings
110
111				L
112
113				=item * Search CPAN
114
115				L
116
117				=back
118
119				=head1 COPYRIGHT & LICENSE
120
121				Copyright 2014 David Zurborg, all rights reserved.
122
123				This program is released under the following license: open-source
124
125				=cut
126
127				register_plugin;
128				1;