Security Advisories (1)

CVE-2026-2439 (2026-02-16)

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.

NAME

Concierge::Sessions::SQLite - SQLite backend for session storage

VERSION

version 0.8.4

SYNOPSIS

# Used internally by Concierge::Sessions
my $sessions = Concierge::Sessions->new(
    backend     => 'database',
    storage_dir => '/var/app/sessions',
);

DESCRIPTION

Concierge::Sessions::SQLite provides SQLite-based storage for session data. It is the default and recommended backend for production use, offering high performance and ACID-compliant storage.

This backend inherits from Concierge::Sessions::Base and implements all required backend methods. Users typically do not interact with this class directly - they use Concierge::Sessions which manages the backend.

FEATURES

High performance (4,000-5,000 operations per second)
ACID-compliant transactions
Automatic filtering of expired sessions during retrieval
Single-session enforcement at database level (using UNIQUE constraint)
Efficient indexing on session_id and user_id

STORAGE

The backend creates a SQLite database file named sessions.db in the specified storage_dir. The database contains a single table sessions with columns for session data and metadata.

Database schema:

CREATE TABLE sessions (
    session_id TEXT PRIMARY KEY,
    user_id TEXT,
    created_at TIMESTAMP,
    expires_at TIMESTAMP,
    last_updated TIMESTAMP,
    session_timeout INTEGER,
    status JSON,
    data JSON
)

Indexes are created on session_id and user_id for fast lookups.

PERFORMANCE

The SQLite backend provides high performance suitable for production use:

Create session: ~0.0002 seconds
Get session: ~0.0002 seconds
Update session: ~0.0002 seconds
Delete session: ~0.0002 seconds

Benchmarks performed on typical hardware with default SQLite settings.

AUTHOR

Bruce Van Allen <bva@cruzio.com>

LICENSE

Artistic License 2.0

To install Concierge::Sessions, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Concierge::Sessions

CPAN shell

perl -MCPAN -e shell
install Concierge::Sessions

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)