File Coverage

blib/lib/Dancer/Plugin/SecureSessionID.pm
Criterion Covered Total %
statement 41 42 97.6
branch 3 6 50.0
condition 1 2 50.0
subroutine 12 12 100.0
pod n/a
total 57 62 91.9


line stmt bran cond sub pod time code
1             package Dancer::Plugin::SecureSessionID;
2              
3 3     3   224329 use Modern::Perl;
  3         20532  
  3         16  
4              
5 3     3   428 use Carp 'croak';
  3         4  
  3         146  
6 3     3   1354 use Dancer ':syntax';
  3         354042  
  3         16  
7 3     3   2217 use Dancer::Plugin;
  3         3271  
  3         189  
8 3     3   1473 use Dancer::Session::Abstract ();
  3         2402  
  3         53  
9 3     3   1334 use Crypt::OpenSSL::Random ();
  3         10289  
  3         65  
10 3     3   1257 use MIME::Base64 ();
  3         1596  
  3         259  
11              
12             =head1 NAME
13              
14             Dancer::Plugin::SecureSessionID - A secure replacement of Dancer's built-in session id generator
15              
16             =head1 VERSION
17              
18             Version 0.02
19              
20             =cut
21              
22             our $VERSION = '0.02';
23              
24             =head1 SYNOPSIS
25              
26             use Dancer::Plugin::SecureSessionID;
27              
28             use_secure_session_id;
29              
30             =head1 DESCRIPTION
31              
32             This plugin overrides the C method in L and make use of L to get really secure random session ids.
33              
34             =head1 METHODS
35              
36             =head2 C<< use_secure_session_id([ %options ]) >>
37              
38             In a previous version of the module, the options ware passed into C. For compatibility reasons, the option-keys Strength, Length and Skip are still valid. B.
39              
40             The defaults are Strength=1 and Length=16. These options can be set with plugin settings, too.
41              
42             use_secure_session_id(Length => 20, Uniform => 1, Skip => 512);
43              
44             same as:
45              
46             plugins:
47             SecureSessionID:
48             Length: 20
49             Uniform: 1
50             Skip: 512
51              
52             The result is encoded with C. A length of 16 random bytes results in 22 characters.
53              
54             =cut
55              
56             register use_secure_session_id => sub {
57 1 50       5 my %options = (
58             Length => 16,
59             Strength => 1,
60 1     1   795 %{ plugin_setting || {} },
61             @_
62             );
63 1 50       26 warn "option 'Uniform' is deprecated" if $options{Uniform};
64 3     3   15 no strict 'refs';
  3         4  
  3         72  
65 3     3   13 no warnings 'redefine';
  3         9  
  3         318  
66 1         16 *{'Dancer::Session::Abstract::build_id'} = sub {
67 1     1   1891 my $r;
68 1   50     8 $options{Skip} ||= 0;
69 1 50       3 if ($options{Strength}) {
70 1         131 $r = Crypt::OpenSSL::Random::random_bytes($options{Length} + $options{Skip});
71             } else {
72 0         0 $r = Crypt::OpenSSL::Random::random_pseudo_bytes($options{Length} + $options{Skip});
73             }
74 3     3   23 use bytes;
  3         5  
  3         19  
75 1         4 $r = substr($r, $options{Skip});
76 1         5 return MIME::Base64::encode_base64url($r,'');
77 1         6 };
78             };
79              
80             =head1 SECURITY WARNING
81              
82             Any session module which does not override C make profit from this plugin. This behaviour may change in future. Don't rely on it without auditing the source code of the affected session modules. By now, both the Simple and YAML session engines (shipped with the Dancer package) do not override C so this plugin works as expected.
83              
84             Addtionally, mind the blocking behaviour when C is requested. If your application blocks, you can set the C option to 0. This may be a lack of security but it helps to improve performance. Since your application cause network traffic, the entropy pool will be recharged often enough to never get stalled. See also L.
85              
86             =head1 AUTHOR
87              
88             David Zurborg, C<< >>
89              
90             =head1 BUGS
91              
92             Please report any bugs or feature requests trough my project management tool
93             at L. I
94             will be notified, and then you'll automatically be notified of progress on
95             your bug as I make changes.
96              
97             =head1 SUPPORT
98              
99             You can find documentation for this module with the perldoc command.
100              
101             perldoc Dancer::Plugin::SecureSessionID
102              
103             You can also look for information at:
104              
105             =over 4
106              
107             =item * Redmine: Homepage of this module
108              
109             L
110              
111             =item * RT: CPAN's request tracker
112              
113             L
114              
115             =item * AnnoCPAN: Annotated CPAN documentation
116              
117             L
118              
119             =item * CPAN Ratings
120              
121             L
122              
123             =item * Search CPAN
124              
125             L
126              
127             =back
128              
129             =head1 COPYRIGHT & LICENSE
130              
131             Copyright 2014 David Zurborg, all rights reserved.
132              
133             This program is released under the following license: open-source
134              
135             =cut
136              
137             register_plugin;
138             1;