NAME

Apache::AppSamurai::Session::Generate::HMAC_SHA - HMAC/SHA256 session generator for Apache::AppSamurai::Session

SYNOPSIS

 use Apache::AppSamurai::Session::Generate::HMAC_SHA;
 
 # A server key and session authentication key are required and must be
 # sent in a hash reference as shown below.  Static server key and
 # session authentication keys are shown for the sake of the example.
 $session->{args}->{ServerKey} = "628b49d96dcde97a430dd4f597705899e09a968f793491e4b704cae33a40dc02";
 $session->{args}->{key} = "c44474038d459e40e4714afefa7bf8dae9f9834b22f5e8ec1dd434ecb62b512e";
 $id = Apache::AppSamurai::Session::Generate::HMAC_SHA::generate($session);
 
 # Note - this is not how you will see this module generally called.
 # Instead, you will see it called by reference from Apache::Session or
 # Apache::AppSamurai::Session. 

 # Validate the session ID format
 (Apache::AppSamurai::Session::Generate::HMAC_SHA::validate($id)) or die "Bad!";

DESCRIPTION

This module fulfills the ID generation interface of Apache::Session and Apache::AppSamurai::Session.

Unlike the normal Apache::Session generators like MD5, this requires two input values: A server key and a session authentication key. Both must be hex string encoded 256 bit values. The values are passed in a hash reference, (see examples). The values are then punched into a HMAC using SHA256 as the digest. The ID is returned by the generate function, and the function also sets the {data}->{session_id} value on the passed in session hash.

This module can also examine session IDs to ensure that they are, indeed, session ID numbers and not evil attacks. The reader is encouraged to consider the effect of bogus session ID numbers in a system which uses these ID numbers to access disks and databases.

This modules takes no direct arguments when called as an object, but expects $self to include a hash reference named "args" from which to extract the server key and session authentication key.

SEE ALSO

Apache::AppSamurai::Session, Digest::SHA, Apache::Session

AUTHOR

Paul M. Hirsch, <paul at voltagenoir.org>

BUGS

See Apache::AppSamurai for information on bug submission and tracking.

SUPPORT

See Apache::AppSamurai for support information.

COPYRIGHT & LICENSE

Copyright 2008 Paul M. Hirsch, all rights reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.