[Catalyst-commits] r10832 - in Catalyst-Plugin-Session/0.00/trunk: . lib/Catalyst/Plugin

t0m at dev.catalyst.perl.org t0m at dev.catalyst.perl.org
Wed Jul 8 21:51:20 GMT 2009 

Author: t0m
Date: 2009-07-08 21:51:19 +0000 (Wed, 08 Jul 2009)
New Revision: 10832

Modified:
   Catalyst-Plugin-Session/0.00/trunk/Changes
   Catalyst-Plugin-Session/0.00/trunk/lib/Catalyst/Plugin/Session.pm
Log:
Changelog, attribute kmx, strip trailing whitespace

Modified: Catalyst-Plugin-Session/0.00/trunk/Changes
===================================================================
--- Catalyst-Plugin-Session/0.00/trunk/Changes	2009-07-08 21:47:34 UTC (rev 10831)
+++ Catalyst-Plugin-Session/0.00/trunk/Changes	2009-07-08 21:51:19 UTC (rev 10832)
@@ -1,5 +1,11 @@
 Revision history for Perl extension Catalyst::Plugin::Session
 
+0.25 2009-0708
+        - Add the a change_session_id method which can be called after
+          authentication to change the user's session cookie whilst preserving
+          their session data. This can be used to provide protection from
+          Session Fixation attacks. (kmx)
+
 0.24 2009-06-23
         - Be more paranoid about getting values of $c->req to avoid issues
           with old Test::WWW::Mechanize::Catalyst.

Modified: Catalyst-Plugin-Session/0.00/trunk/lib/Catalyst/Plugin/Session.pm
===================================================================
--- Catalyst-Plugin-Session/0.00/trunk/lib/Catalyst/Plugin/Session.pm	2009-07-08 21:47:34 UTC (rev 10831)
+++ Catalyst-Plugin-Session/0.00/trunk/lib/Catalyst/Plugin/Session.pm	2009-07-08 21:51:19 UTC (rev 10832)
@@ -13,7 +13,7 @@
 
 use namespace::clean -except => 'meta';
 
-our $VERSION = '0.24';
+our $VERSION = '0.25';
 
 my @session_data_accessors; # used in delete_session
 
@@ -168,7 +168,7 @@
                 delete $flash_data->{$key};
             }
         }
-        
+
         my $sid = $c->sessionid;
 
         my $session_data = $c->_session;
@@ -262,7 +262,7 @@
         if ( my $flash_data = $c->_flash )
         {
             $c->_flash_key_hashes({ map { $_ => Object::Signature::signature( \$flash_data->{$_} ) } keys %$flash_data });
-            
+
             return $flash_data;
         }
     }
@@ -294,7 +294,7 @@
     my $sessiondata = $c->session;
     my $oldsid = $c->sessionid;
     my $newsid = $c->create_session_id;
-		
+
     if ($oldsid) {
         $c->log->debug(qq/change_sessid: deleting session data from "$oldsid"/) if $c->debug;
         $c->delete_session_data("${_}:${oldsid}") for qw/session expires flash/;
@@ -303,7 +303,7 @@
     $c->log->debug(qq/change_sessid: storing session data to "$newsid"/) if $c->debug;
     $c->store_session_data( "session:$newsid" => $sessiondata );
 
-    return $newsid; 
+    return $newsid;
 }
 
 sub delete_session {
@@ -363,7 +363,7 @@
 
 sub reset_session_expires {
     my ( $c, $sid ) = @_;
-    
+
     my $exp = $c->calculate_initial_session_expires;
     $c->_session_expires( $exp );
     $c->_extended_session_expires( $exp );
@@ -372,7 +372,7 @@
 
 sub sessionid {
     my $c = shift;
-    
+
     return $c->_sessionid || $c->_load_sessionid;
 }
 
@@ -428,7 +428,7 @@
     (@{$href}{@keys}) = ((undef) x @keys);
 }
 
-sub _flash_data { 
+sub _flash_data {
     my $c = shift;
     $c->_flash || $c->_load_flash || do {
         $c->create_session_id_if_needed;
@@ -454,7 +454,7 @@
 
 sub clear_flash {
     my $c = shift;
-    
+
     #$c->delete_session_data("flash:" . $c->sessionid); # should this be in here? or delayed till finalization?
     $c->_flash_key_hashes({});
     $c->_flash_keep_keys({});
@@ -508,7 +508,7 @@
 
 sub create_session_id {
     my $c = shift;
-    
+
     my $sid = $c->generate_session_id;
 
     $c->log->debug(qq/Created session "$sid"/) if $c->debug;
@@ -712,7 +712,7 @@
         my ( $self, $c ) = @_;
 
         if ( exists $c->flash->{beans} ) { # false
-        
+
         }
     }
 
@@ -776,7 +776,7 @@
 If you want to prevent this session fixation scenario:
 
     0) let us have WebApp with anonymous and authenticated parts
-    1) a hacker goes to vulnerable WebApp and gets a real sessionid, 
+    1) a hacker goes to vulnerable WebApp and gets a real sessionid,
        just by browsing anonymous part of WebApp
     2) the hacker inserts (somehow) this values into a cookie in victim's browser
     3) after the victim logs into WebApp the hacker can enter his/her session
@@ -978,7 +978,7 @@
 =item verify_user_agent
 
 When true, C<<$c->request->user_agent>> will be checked at prepare time. If it
-is not the same as the user agent that initiated the session, the session is 
+is not the same as the user agent that initiated the session, the session is
 deleted.
 
 Defaults to false.
@@ -1093,6 +1093,8 @@
 
 Sergio Salvi
 
+kmx C<kmx at volny.cz>
+
 And countless other contributers from #catalyst. Thanks guys!
 
 =head1 COPYRIGHT & LICENSE

More information about the Catalyst-commits mailing list