Use Crypt::SysRandom to generate session ids

This replaces convoluted code for generating session ids with a simple
call to retrieve random bytes from the system source of randomness.

Author: robrwo

lib/Catalyst/Plugin/Session.pm

@@ -4,7 +4,7 @@ use Moose;
 with 'MooseX::Emulate::Class::Accessor::Fast';
 use MRO::Compat;
 use Catalyst::Exception ();
-use Digest              ();
+use Crypt::SysRandom    ();
 use overload            ();
 use Object::Signature   ();
 use HTML::Entities      ();
@@ -598,11 +598,7 @@ sub initialize_session_data {
 }
 
 sub generate_session_id {
-    my $c = shift;
-
-    my $digest = $c->_find_digest();
-    $digest->add( $c->session_hash_seed() );
-    return $digest->hexdigest;
+    return unpack( "H*", Crypt::SysRandom::random_bytes(16) );
 }
 
 sub create_session_id_if_needed {
@@ -624,33 +620,10 @@ sub create_session_id {
     return $sid;
 }
 
-my $counter;
-
-sub session_hash_seed {
-    my $c = shift;
-
-    return join( "", ++$counter, time, rand, $$, {}, overload::StrVal($c), );
-}
+sub session_hash_seed { }
 
 my $usable;
 
-sub _find_digest () {
-    unless ($usable) {
-        foreach my $alg (qw/SHA-1 SHA-256 MD5/) {
-            if ( eval { Digest->new($alg) } ) {
-                $usable = $alg;
-                last;
-            }
-        }
-        Catalyst::Exception->throw(
-                "Could not find a suitable Digest module. Please install "
-              . "Digest::SHA1, Digest::SHA, or Digest::MD5" )
-          unless $usable;
-    }
-
-    return Digest->new($usable);
-}
-
 sub dump_these {
     my $c = shift;
 
@@ -973,53 +946,22 @@ insensitive hexadecimal characters.
 
 =item generate_session_id
 
-This method will return a string that can be used as a session ID. It is
-supposed to be a reasonably random string with enough bits to prevent
-collision. It basically takes C<session_hash_seed> and hashes it using SHA-1,
-MD5 or SHA-256, depending on the availability of these modules.
-
-=item session_hash_seed
-
-This method is actually rather internal to generate_session_id, but should be
-overridable in case you want to provide more random data.
+This method will return a string that can be used as a session ID.
 
-Currently it returns a concatenated string which contains:
+The string is simply 32 hex digits from the system randomness source using L<Crypt::SysRandom>.
 
-=over 4
-
-=item * A counter
-
-=item * The current time
-
-=item * One value from C<rand>.
-
-=item * The stringified value of a newly allocated hash reference
-
-=item * The stringified value of the Catalyst context object
-
-=back
+You can override this if you prefer to use a different source of randomness or different format of session ids:
 
-in the hopes that those combined values are entropic enough for most uses. If
-this is not the case you can replace C<session_hash_seed> with e.g.
-
-    sub session_hash_seed {
-        open my $fh, "<", "/dev/random";
-        read $fh, my $bytes, 20;
-        close $fh;
-        return $bytes;
-    }
-
-Or even more directly, replace C<generate_session_id>:
+    use Crypt::URandom::Token ();
 
     sub generate_session_id {
-        open my $fh, "<", "/dev/random";
-        read $fh, my $bytes, 20;
-        close $fh;
-        return unpack("H*", $bytes);
+        state $tok = Crypt::URandom::Token->new();
+        return $tok->get;
     }
 
-Also have a look at L<Crypt::Random> and the various openssl bindings - these
-modules provide APIs for cryptographically secure random data.
+=item session_hash_seed
+
+This method is no longer used.
 
 =item finalize_session
 
@@ -1249,5 +1191,3 @@ Robert Rothenberg <[email protected]> (on behalf of Foxtons Ltd.)
     it and/or modify it under the same terms as Perl itself.
 
 =cut
-
-