/ 
Concierge-Sessions-v0.8.4
/ Concierge::Sessions::File
Security Advisories (1)
CVE-2026-2439 (2026-02-16)

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.

NAME

Concierge::Sessions::File - File backend for session storage

VERSION

version 0.8.4

SYNOPSIS

# Used internally by Concierge::Sessions
my $sessions = Concierge::Sessions->new(
    backend     => 'file',
    storage_dir => '/tmp/sessions',
);

DESCRIPTION

Concierge::Sessions::File provides file-based storage for session data. Each session is stored as a separate JSON file named after the session ID. This backend is useful for testing, development, and debugging.

This backend inherits from Concierge::Sessions::Base and implements all required backend methods. Users typically do not interact with this class directly - they use Concierge::Sessions which manages the backend.

FEATURES

  • Human-readable JSON format for easy debugging

  • Simple file system operations

  • No database dependencies

  • Suitable for testing and development

  • Lower performance than SQLite (~1,000 ops/sec vs 4,000-5,000)

STORAGE

Each session is stored as a separate JSON file in the storage_dir:

/path/to/storage_dir/
    ├── a1b2c3d4-e5f6-7890-abcd-ef1234567890
    ├── b2c3d4e5-f6a7-8901-bcde-f12345678901
    └── ...

File names are the session_id (no extension).

File contents:

{
    "session_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "user_id": "user123",
    "created_at": 1737526800.12345,
    "expires_at": 1737530400.12345,
    "last_updated": 1737526800.12345,
    "session_timeout": 3600,
    "status": { "state": "active", "dirty": 0 },
    "data": { "cart": [], "preferences": {} }
}

PERFORMANCE

The File backend provides moderate performance suitable for testing:

  • Create session: ~0.001 seconds

  • Get session: ~0.001 seconds

  • Update session: ~0.001 seconds

  • Delete session: ~0.001 seconds

Performance depends on file system speed and can vary significantly between systems. For production use, consider the SQLite backend.

USAGE

This backend is ideal for:

  • Development and testing

  • Debugging (view session data directly in text editor)

  • Environments without database support

  • Learning and experimentation

For production deployments, use the SQLite backend for better performance and reliability.

SEE ALSO

Concierge::Sessions - Session manager

Concierge::Sessions::Base - Backend base class

Concierge::Sessions::SQLite - SQLite backend implementation

JSON::PP - JSON encoding/decoding

File::Spec - File path operations

AUTHOR

Bruce Van Allen <bva@cruzio.com>

LICENSE

Artistic License 2.0

1 POD Error

The following errors were encountered while parsing the POD:

Around line 363:

Non-ASCII character seen before =encoding in '├──'. Assuming UTF-8