view release on metacpan or  search on metacpan

lib/Dancer/Plugin/SecureSessionID.pm  view on Meta::CPAN

package Dancer::Plugin::SecureSessionID;

use Modern::Perl;

use Carp 'croak';
use Dancer ':syntax';
use Dancer::Plugin;
use Dancer::Session::Abstract ();
use Crypt::OpenSSL::Random ();
use MIME::Base64 ();

=head1 NAME

Dancer::Plugin::SecureSessionID - A secure replacement of Dancer's built-in session id generator

=head1 VERSION

Version 0.02

=cut

our $VERSION = '0.02';

=head1 SYNOPSIS

    use Dancer::Plugin::SecureSessionID;

    use_secure_session_id;

=head1 DESCRIPTION

This plugin overrides the C<build_id()> method in L<Dancer::Session::Abstract|Dancer::Session::Abstract> and make use of L<Crypt::OpenSSL::Random|Crypt::OpenSSL::Random> to get really secure random session ids.

=head1 METHODS

=head2 C<< use_secure_session_id([ %options ]) >>

In a previous version of the module, the options ware passed into C<Crypt::Random::makerandom_octet(...)>. For compatibility reasons, the option-keys Strength, Length and Skip are still valid. B<Other option-keys are no longer supported>.

The defaults are Strength=1 and Length=16. These options can be set with plugin settings, too.

	use_secure_session_id(Length => 20, Uniform => 1, Skip => 512);

same as:

	plugins:
	  SecureSessionID:
	    Length: 20
	    Uniform: 1
	    Skip: 512

The result is encoded with C<base64url()>. A length of 16 random bytes results in 22 characters.

=cut

register use_secure_session_id => sub {
	my %options = (
		Length => 16,
		Strength => 1,
		%{ plugin_setting || {} },
		@_
	);
	warn "option 'Uniform' is deprecated" if $options{Uniform};