Dancer::Session::Cookie - Encrypted cookie-based session backend for Dancer


Your config.yml:

    session: "cookie"
    session_cookie_key: "this random key IS NOT very random"


This module implements a session engine for sessions stored entirely in cookies. Usually only session id is stored in cookies and the session data itself is saved in some external storage, e.g. database. This module allows to avoid using external storage at all.

Since server cannot trust any data returned by client in cookies, this module uses cryptography to ensure integrity and also secrecy. The data your application stores in sessions is completely protected from both tampering and analysis on the client-side.


The setting session should be set to cookie in order to use this session engine in a Dancer application. See Dancer::Config.

A mandatory setting is needed as well: session_cookie_key, which should contain a random string of at least 16 characters (shorter keys are not cryptographically strong using AES in CBC mode).

Here is an example configuration to use in your config.yml:

    session: "cookie"
    session_cookie_key: "kjsdf07234hjf0sdkflj12*&(@*jk"

Compromising session_cookie_key will disclose session data to clients and proxies or eavesdroppers and will also allow tampering, for example session theft. So, your config.yml should be kept at least as secure as your database passwords or even more.

Also, changing session_cookie_key will have an effect of immediate invalidation of all sessions issued with the old value of key.

session_cookie_path can be used to control the path of the session cookie. The default is /.

The global session_secure setting is honoured and a secure (https only) cookie will be used if set.


This module depends on Crypt::CBC, Crypt::Rijndael, String::CRC32, Storable and MIME::Base64.


This module has been written by Alex Kapranoff.


See Dancer::Session for details about session usage in route handlers.

See Plack::Middleware::Session::Cookie, Catalyst::Plugin::CookiedSession, "session" in Mojolicious::Controller for alternative implementation of this mechanism.


This module is copyright (c) 2009-2010 Alex Kapranoff <>.


This module is free software and is released under the same terms as Perl itself.