Dancer2 0.203000 improves session security, fixes decoding bugs

Dancer2 0.203000 is on its way to a CPAN mirror near you. This version brings some important security improvements and bugfixes:

  • It is considered good security practice to change a session ID whenever any change in privilege level occurs (such as logging into an app). Not only is this a good practice, but it is a requirement of some established security standards. To account for this, a new method, change_session_id() was added to make it easy for developers to issue a new session ID on privilege change.

At some point in the not-too-distant future, session drivers will be required to implement a _change_id() method to support this. In the meantime, Dancer2 will perform the operation for session drivers that lack this method.

Thanks to Ctrl O and InfoSaaS for sponsoring SysPete’s work on this important functionality!

  • An error made it possible for a request to have serialized data that wouldn’t be deserialized into body_parameters if any middleware had previously created a Plack::Request object and parsed the request body. A bugfix by veryrusty forces deserialization of body data even when an existing Plack::Request object has already parsed the request body.

  • A bug introduced in Dancer2 0.200000 was double-decoding deserialized data. This has been fixed.

  • Three functions were introduced for developer convenience: code_mapping(), status_mapping() and all_mappings(). These methods allow your code to access copies of Dancer’s HTTP_CODES table, rather than having to copy the table for your own use. See the docs for Dancer2::Core::HTTP for more information.

  • Several documentation improvements were made by Racke, including documentation of a session’s data() method.

The full changelog is as follows:

0.203000  2016-08-24 22:09:56-05:00 America/Chicago

[ BUG FIXES ]
* GH #1232: Force deserialization of body data even when an existing 
  Plack::Request object has already parsed request body. Don't double
  decode deserialized data. (Russell Jenkins - @veryrusty)

[ ENHANCEMENTS ]
* GH #1195: Add change_session_id() method - both as a good security 
  practice and to comply with other established security standards.
  (Peter Mottram)
* GH #1234: Add convenience functions to access Dancer's HTTP_CODES
  table. (Yanick Champoux)

[ DOCUMENTATION ]
* Fix Typo (Stefan Hornburg - Racke)
* Document $session->data (Stefan Hornburg - Racke)

If you have any questions, please find us at irc.perl.org#dancer.

Just a reminder, the Dancer conference in Vienna, Austria is quickly approaching (it’s just a month away!). If you are interested in attending or giving a talk, please visit the conference website.

Happy Dancing!

Leave a comment

About Jason A. Crome

user-pic Dancer developer, pilot, and hockey player.