/ 
Concierge-Sessions-v0.8.3
/ Concierge::Sessions::Base
Security Advisories (1)
CVE-2026-2439 (2026-02-16)

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.

NAME

Concierge::Sessions::Base - Base class for session storage backends

VERSION

version 0.8.1

SYNOPSIS

# This is a base class - do not use directly
# Backend implementations inherit from this class:

package Concierge::Sessions::MyBackend;
use parent 'Concierge::Sessions::Base';

sub create_session {
    my ($self, %args) = @_;
    # Implementation...
}

# Implement other required methods...

DESCRIPTION

Concierge::Sessions::Base is a base class that defines the interface for session storage backends. Backend implementations (SQLite, File) inherit from this class and must implement the defined methods.

This class also provides utility methods such as generate_session_id().

Users typically do not interact with this class directly - they use Concierge::Sessions which manages backend objects internally.

REQUIRED METHODS

Backend implementations must implement the following methods:

create_session

Creates a new session in the backend storage.

my $result = $backend->create_session(
    user_id         => 'user123',
    session_timeout => 3600,
    data            => \%session_data,
);

Must return:

{
    success => 1,
    session_id => 'uuid-string',
}

get_session_info

Retrieves session information from backend storage.

my $result = $backend->get_session_info($session_id);

Must return:

{
    success => 1,
    info => {
        session_id      => 'uuid',
        user_id         => 'user123',
        session_timeout => 3600,
        data            => \%data,
        created_at      => $timestamp,
        expires_at      => $timestamp,
        last_updated    => $timestamp,
        status          => { state => 'active', dirty => 0 },
    },
}

Or on error:

{
    success => 0,
    message => "Error description",
}

update_session

Updates session data and metadata in backend storage.

my $result = $backend->update_session(
    $session_id,
    {
        data       => \%new_data,
        expires_at => $new_expiration,
    },
);

Must return:

{
    success => 1,
}

Or on error:

{
    success => 0,
    message => "Error description",
}

delete_session

Deletes a session from backend storage.

my $result = $backend->delete_session($session_id);

Must return:

{
    success => 1,
    message => "Session deleted",
}

cleanup_sessions

Removes all expired sessions from backend storage.

my $result = $backend->cleanup_sessions();

Must return:

{
    success => 1,
    deleted_count => 15,
}

delete_user_session

Deletes all sessions for a specific user from backend storage.

my $result = $backend->delete_user_session($user_id);

Must return:

{
    success => 1,
    deleted_count => 3,
}

UTILITY METHODS

generate_session_id

Generates a unique session ID using UUID v4 format.

my $uuid = $backend->generate_session_id();

Returns: Lowercase UUID string such as 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'.

This method attempts to use the system's uuidgen command if available, with a fallback to a Perl-based UUID v4 generator.

SEE ALSO

Concierge::Sessions::SQLite - SQLite backend implementation

Concierge::Sessions::File - File backend implementation

Concierge::Sessions - Session manager

AUTHOR

Bruce Van Allen <bva@cruzio.com>

LICENSE

Artistic License 2.0