- OPTIONAL MANAGER ARGUMENTS
- AUTHORS AND LICENSE
- COPYRIGHT AND LICENSE
Starch::Plugin::SecureStateID - use cryptographically secure random when making state IDs
my $starch = Starch->new( plugins => ['::SecureStateID'], secure_state_id_sha => 256, );
For each state stored in Starch, the generated ID is virtually guaranteed to be unique. It is not generated to be unguessable. By using this plugin, the state will include a random number generated using Math::Random::Secure to assure that is both unique and includes a cryptographically secure random number in the calculated ID.
This plugin also upgrades the state ID so that it is calculated using SHA-256 instead of SHA-1. SHA-1 hashed values are potentially guessable for attackers with a large enough budget. A possible downside is that SHA-256 creates a key that is 256 bits long, which results in an ID string that is 64 bytes long, rather than the 40 byte long string provided by SHA-1. The version of SHA used may be chosen with the "secure_state_id_sha" option.
These arguments are added to the Starch::Manager class.
This names the SHA algorithm to use. It may be set to one of: 1, 224, 256, 284, 512224, and 512256. The default is 256 (though, if you do not use this plugin, SHA-1 will be used).
Copyright 2016 Sterling Hanenkamp
This is free software distributed under the same terms as Perl itself.
Special thanks to ZipRecruiter, Inc. without whom this software would not exist and would not be available to the Open Source community.
Andrew Sterling Hanenkamp <email@example.com>
This software is copyright (c) 2019 by Andrew Sterling Hanenkamp.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.