NAME¶

Plack::Middleware::Session - Middleware for session management

SYNOPSIS¶

  use Plack::Builder;
  my $app = sub {
      my $env = shift;
      my $session = $env->{'psgix.session'};
      return [
          200,
          [ 'Content-Type' => 'text/plain' ],
          [ "Hello, you've been here for ", $session->{counter}++, "th time!" ],
      ];
  };
  builder {
      enable 'Session';
      $app;
  };
  # Or, use the File store backend (great if you use multiprocess server)
  # For more options, see perldoc Plack::Session::Store::File
  builder {
      enable 'Session', store => 'File';
      $app;
  };

DESCRIPTION¶

This is a Plack Middleware component for session management. Bydefault it will use cookies to keep session state and store data inmemory. This distribution also comes with other state and storesolutions. See perldoc for these backends how to use them.

It should be noted that we store the current session as a hashreference in the "psgix.session" key inside the $env where you can access it as needed.

NOTE: As of version 0.04 the session is stored in "psgix.session" instead of "plack.session".

OPTIONS¶

The following are options that can be passed to this module.

state

This is expected to be an instance of Plack::Session::State or anobject that implements the same interface. If no option is providedthe default Plack::Session::State::Cookie will be used.

store

This is expected to be an instance of Plack::Session::Store or anobject that implements the same interface. If no option is providedthe default Plack::Session::Store will be used.

It should be noted that this default is an in-memory volatile storeis only suitable for development (or single process servers). For amore robust solution see Plack::Session::Store::File orPlack::Session::Store::Cache.

PLACK REQUEST OPTIONS¶

In addition to providing a "psgix.session" key in $env for persistent session information, this module also provides a "psgix.session.options" key which can be used to control the behavior of the module per-request. The following sub-keys exist:

change_id

If set to a true value, forces the session identifier to change (rotate). Thisshould always be done after logging in, to prevent session fixationattacks from subdomains; see<http://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cooking>

expire

If set to a true value, expunges the session from the store, and clearsthe state in the client.

no_store

If set to a true value, no changes made to the session in this requestwill be saved to the store. Either "expire" and "change_id" takeprecedence over this, as both need to update the session store.

late_store

If set to a true value, the session will be saved at the end of the request, after all data has been sent to the client -- this may be required if streaming responses attempt to alter the session after the header has already been sent to the client. Note, however, that it introduces a possible race condition, where the server attempts to store the updated session before the client makes the next request. For redirects, or other responses on which the client needs do minimal processing before making a second request, this race is quite possible to win -- causing the second request to obtain stale session data.

id

This key contains the session identifier of the session. It should beconsidered read-only; to generate a new identifier, use "change_id".

BUGS¶

All complex software has bugs lurking in it, and this module is noexception. If you find a bug please either email me, or add the bugto cpan-RT.

AUTHOR¶

Tatsuhiko Miyagawa

Stevan Little <stevan.little@iinteractive.com>

COPYRIGHT AND LICENSE¶

Copyright 2009, 2010 Infinity Interactive, Inc.

<http://www.iinteractive.com>

This library is free software; you can redistribute it and/or modifyit under the same terms as Perl itself.