Dancer::Session::Cookie - Encrypted cookie-based session backend for Dancer
session_cookie_key: "this random key IS NOT very random"
This module implements a session engine for sessions stored entirely in cookies.
Usually only session id
is stored in cookies and the session data
itself is saved in some external storage, e.g. database. This module allows
one to avoid using external storage at all.
Since server cannot trust any data returned by client in cookies, this module
uses cryptography to ensure integrity and also secrecy. The data your
application stores in sessions is completely protected from both tampering and
analysis on the client-side.
Do be aware that browsers limit the size of individual cookies, so this method
is not suitable if you wish to store a large amount of data. Browsers
typically limit the size of a cookie to 4KB, but that includes the space taken
to store the cookie's name, expiration and other attributes as well as its
The setting session
should be set to "cookie" in order to use
this session engine in a Dancer application. See Dancer::Config.
A mandatory setting is needed as well: session_cookie_key
, which should
contain a random string of at least 16 characters (shorter keys are not
cryptographically strong using AES in CBC mode).
The optional session_expires
setting can also be passed, which will
provide the duration time of the cookie. If it's not present, the cookie won't
have an expiration value.
Here is an example configuration to use in your config.yml
session_expires: 1 hour
will disclose session data to clients and
proxies or eavesdroppers and will also allow tampering, for example session
theft. So, your config.yml
should be kept at least as secure as your
database passwords or even more.
Also, changing session_cookie_key
will have an effect of immediate
invalidation of all sessions issued with the old value of key.
can be used to control the path of the session
cookie. The default is /.
The global session_secure
setting is honoured and a secure (https only)
cookie will be used if set.
This module depends on Session::Storage::Secure. Legacy support is provided
using Crypt::CBC, Crypt::Rijndael, String::CRC32, Storable and MIME::Base64.
See Dancer::Session for details about session usage in route handlers.
See Plack::Middleware::Session::Cookie, Catalyst::Plugin::CookiedSession,
"session" in Mojolicious::Controller for alternative implementation
of this mechanism.
- Alex Kapranoff <firstname.lastname@example.org>
- Alex Sukria <email@example.com>
- David Golden <firstname.lastname@example.org>
- Yanick Champoux <email@example.com>
This software is copyright (c) 2015 by Alex Kapranoff.
This is free software; you can redistribute it and/or modify it under the same
terms as the Perl 5 programming language system itself.