Changes for version 4.34

  • SECURITY: Patch CGI::Session::Driver::file to stop \ and / characters being used in session ids and hence in file names. These characters, possibly combined with '..', could have been used to access files outside the designated session file directory. Reported by TAN Chew Keong of
  • FIX: Patch CGI::Session to propagate error upwards when _load_pluggables() fails. See RT#37628 and
  • INTERNAL: Ship a machine-readable version of this file under the name Changelog.ini. The latter file is generated by, which is shipped with Module::Metadata::Changes. The reason Changelog.ini does not contain a separate section for each version in this file is that some of the versions documented below have no datestamp, and does not create fake datestamps.


persistent session data in CGI applications
CGI::Session driver specifications
Base class for native DBI-related CGI::Session drivers
CGI::Session driver for BerkeleyDB using DB_File
Default CGI::Session driver
CGI::Session driver for MySQL database
PostgreSQL driver for CGI::Session
CGI::Session driver for SQLite
error handling routines for CGI::Session
CGI::Session ID driver
default CGI::Session ID generator
CGI::Session ID Driver for generating static IDs
Default CGI::Session serializer
serializer for CGI::Session
Serializer for CGI::Session
Extended CGI::Session manual


in lib/CGI/Session/Test/
in lib/CGI/Session/Test/
in lib/CGI/Session/Test/