Apache::AppSamurai::Session::Generate::HMAC_SHA - HMAC/SHA256 session generator for Apache::AppSamurai::Session


 use Apache::AppSamurai::Session::Generate::HMAC_SHA;
 # A server key and session authentication key are required and must be
 # sent in a hash reference as shown below.  Static server key and
 # session authentication keys are shown for the sake of the example.
 $session->{args}->{ServerKey} = "628b49d96dcde97a430dd4f597705899e09a968f793491e4b704cae33a40dc02";
 $session->{args}->{key} = "c44474038d459e40e4714afefa7bf8dae9f9834b22f5e8ec1dd434ecb62b512e";
 $id = Apache::AppSamurai::Session::Generate::HMAC_SHA::generate($session);
 # Note - this is not how you will see this module generally called.
 # Instead, you will see it called by reference from Apache::Session or
 # Apache::AppSamurai::Session. 

 # Validate the session ID format
 (Apache::AppSamurai::Session::Generate::HMAC_SHA::validate($id)) or die "Bad!";


This module fulfills the ID generation interface of Apache::Session and Apache::AppSamurai::Session.

Unlike the normal Apache::Session generators like MD5, this requires two input values: A server key and a session authentication key. Both must be hex string encoded 256 bit values. The values are passed in a hash reference, (see examples). The values are then punched into a HMAC using SHA256 as the digest. The ID is returned by the generate function, and the function also sets the {data}->{session_id} value on the passed in session hash.

This module can also examine session IDs to ensure that they are, indeed, session ID numbers and not evil attacks. The reader is encouraged to consider the effect of bogus session ID numbers in a system which uses these ID numbers to access disks and databases.

This modules takes no direct arguments when called as an object, but expects $self to include a hash reference named "args" from which to extract the server key and session authentication key.


Apache::AppSamurai::Session, Digest::SHA, Apache::Session


Paul M. Hirsch, <paul at>


See Apache::AppSamurai for information on bug submission and tracking.


See Apache::AppSamurai for support information.


Copyright 2008 Paul M. Hirsch, all rights reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.