README.mkdn
1# NAME
2
3Dancer::Session::Cookie - Encrypted cookie-based session backend for Dancer
4
5# VERSION
6
7version 0.27
8
9# SYNOPSIS
10
11Your `config.yml`:
12
13 session: "cookie"
14 session_cookie_key: "this random key IS NOT very random"
15
16# DESCRIPTION
17
18This module implements a session engine for sessions stored entirely
19in cookies. Usually only **session id** is stored in cookies and
20the session data itself is saved in some external storage, e.g.
21database. This module allows to avoid using external storage at
22all.
23
24Since server cannot trust any data returned by client in cookies, this
25module uses cryptography to ensure integrity and also secrecy. The
26data your application stores in sessions is completely protected from
27both tampering and analysis on the client-side.
28
29Do be aware that browsers limit the size of individual cookies, so this method
30is not suitable if you wish to store a large amount of data. Browsers typically
31limit the size of a cookie to 4KB, but that includes the space taken to store
32the cookie's name, expiration and other attributes as well as its content.
33
34# CONFIGURATION
35
36The setting **session** should be set to `cookie` in order to use this session
37engine in a Dancer application. See [Dancer::Config](https://metacpan.org/pod/Dancer::Config).
38
39A mandatory setting is needed as well: **session\_cookie\_key**, which should
40contain a random string of at least 16 characters (shorter keys are
41not cryptographically strong using AES in CBC mode).
42
43The optional **session\_expires** setting can also be passed,
44which will provide the duration time of the cookie. If it's not present, the
45cookie won't have an expiration value.
46
47Here is an example configuration to use in your `config.yml`:
48
49 session: "cookie"
50 session_cookie_key: "kjsdf07234hjf0sdkflj12*&(@*jk"
51 session_expires: 1 hour
52
53Compromising **session\_cookie\_key** will disclose session data to
54clients and proxies or eavesdroppers and will also allow tampering,
55for example session theft. So, your `config.yml` should be kept at
56least as secure as your database passwords or even more.
57
58Also, changing **session\_cookie\_key** will have an effect of immediate
59invalidation of all sessions issued with the old value of key.
60
61**session\_cookie\_path** can be used to control the path of the session
62cookie. The default is /.
63
64The global **session\_secure** setting is honoured and a secure (https
65only) cookie will be used if set.
66
67# DEPENDENCY
68
69This module depends on [Session::Storage::Secure](https://metacpan.org/pod/Session::Storage::Secure). Legacy support is provided
70using [Crypt::CBC](https://metacpan.org/pod/Crypt::CBC), [Crypt::Rijndael](https://metacpan.org/pod/Crypt::Rijndael), [String::CRC32](https://metacpan.org/pod/String::CRC32), [Storable](https://metacpan.org/pod/Storable) and
71[MIME::Base64](https://metacpan.org/pod/MIME::Base64).
72
73# SEE ALSO
74
75See [Dancer::Session](https://metacpan.org/pod/Dancer::Session) for details about session usage in route handlers.
76
77See [Plack::Middleware::Session::Cookie](https://metacpan.org/pod/Plack::Middleware::Session::Cookie),
78[Catalyst::Plugin::CookiedSession](https://metacpan.org/pod/Catalyst::Plugin::CookiedSession), ["session" in Mojolicious::Controller](https://metacpan.org/pod/Mojolicious::Controller#session) for alternative implementation of this mechanism.
79
80# AUTHORS
81
82- Alex Kapranoff <kappa@cpan.org>
83- Alex Sukria <sukria@cpan.org>
84- David Golden <dagolden@cpan.org>
85- Yanick Champoux <yanick@cpan.org> [](http://coderwall.com/yanick)
86
87# COPYRIGHT AND LICENSE
88
89This software is copyright (c) 2015 by Alex Kapranoff.
90
91This is free software; you can redistribute it and/or modify it under
92the same terms as the Perl 5 programming language system itself.
93
){kind=link}