NAME
    Catalyst::Plugin::Session - Generic Session plugin - ties together
    server side storage and client side tickets required to maintain session
    data.

SYNOPSIS
        use Catalyst qw/Session Session::Store::FastMmap Session::State::Cookie/;

        sub add_item : Local {
            my ( $self, $c ) = @_;

            my $item_id = $c->req->param("item");

            # $c->session is stored across requests, so
            # other actions will see these values

            push @{ $c->session->{items} }, $item_id;

            $c->forward("MyView");
        }

        sub display_items : Local {
            my ( $self, $c ) = @_;

            # values in $c->session are restored
            $c->stash->{items_to_display} =
                [ map { MyModel->retrieve($_) } @{ $c->session->{items} } ];

            $c->forward("MyView");
        }

DESCRIPTION
    The Session plugin is the base of two related parts of functionality
    required for session management in web applications.

    The first part, the State, is getting the browser to repeat back a
    session key, so that the web application can identify the client and
    logically string several requests together into a session.

    The second part, the Store, deals with the actual storage of information
    about the client. This data is stored so that the it may be revived for
    every request made by the same client.

    This plugin links the two pieces together.

METHODS
    sessionid
        An accessor for the session ID value.

    session
        Returns a hash reference that might contain unserialized values from
        previous requests in the same session, and whose modified value will
        be saved for future requests.

        This method will automatically create a new session and session ID
        if none exists.

    session_delete_reason
        This accessor contains a string with the reason a session was
        deleted. Possible values include:

        *   "address mismatch"

        *   "session expired"

    setup
        This method is extended to also make calls to
        "check_session_plugin_requirements" and "setup_session".

    check_session_plugin_requirements
        This method ensures that a State and a Store plugin are also in use
        by the application.

    setup_session
        This method populates "$c->config->{session}" with the default
        values listed in "CONFIGURATION".

    prepare_action
        This methoid is extended, and will restore session data and check it
        for validity if a session id is defined. It assumes that the State
        plugin will populate the "sessionid" key beforehand.

    finalize
        This method is extended and will extend the expiry time, as well as
        persist the session data if a session exists.

    delete_session REASON
        This method is used to invalidate a session. It takes an optional
        parameter which will be saved in "session_delete_reason" if
        provided.

    initialize_session_data
        This method will initialize the internal structure of the session,
        and is called by the "session" method if appropriate.

    generate_session_id
        This method will return a string that can be used as a session ID.
        It is supposed to be a reasonably random string with enough bits to
        prevent collision. It basically takes "session_hash_seed" and hashes
        it using SHA-1, MD5 or SHA-256, depending on the availibility of
        these modules.

    session_hash_seed
        This method is actually rather internal to generate_session_id, but
        should be overridable in case you want to provide more random data.

        Currently it returns a concatenated string which contains:

        *   A counter

        *   The current time

        *   One value from "rand".

        *   The stringified value of a newly allocated hash reference

        *   The stringified value of the Catalyst context object

        In the hopes that those combined values are entropic enough for most
        uses. If this is not the case you can replace "session_hash_seed"
        with e.g.

            sub session_hash_seed {
                open my $fh, "<", "/dev/random";
                read $fh, my $bytes, 20;
                close $fh;
                return $bytes;
            }

        Or even more directly, replace "generate_session_id":

            sub generate_session_id {
                open my $fh, "<", "/dev/random";
                read $fh, my $bytes, 20;
                close $fh;
                return unpack("H*", $bytes);
            }

        Also have a look at Crypt::Random and the various openssl bindings -
        these modules provide APIs for cryptographically secure random data.

    dump_these
        See "dump_these" in Catalyst - ammends the session data structure to
        the list of dumped objects if session ID is defined.

USING SESSIONS DURING PREPARE
    The earliest point in time at which you may use the session data is
    after Catalyst::Plugin::Session's "prepare_action" has finished.

    State plugins must set $c->session ID before "prepare_action", and
    during "prepare_action" Catalyst::Plugin::Session will actually load the
    data from the store.

            sub prepare_action {
                    my $c = shift;

                    # don't touch $c->session yet!
                
                    $c->NEXT::prepare_action( @_ );

                    $c->session;  # this is OK
                    $c->sessionid; # this is also OK
            }

CONFIGURATION
        $c->config->{session} = {
            expires => 1234,
        };

    All configuation parameters are provided in a hash reference under the
    "session" key in the configuration hash.

    expires
        The time-to-live of each session, expressed in seconds. Defaults to
        7200 (two hours).

    verify_address
        When false, "$c->request->address" will be checked at prepare time.
        If it is not the same as the address that initiated the session, the
        session is deleted.

SPECIAL KEYS
    The hash reference returned by "$c->session" contains several keys which
    are automatically set:

    __expires
        A timestamp whose value is the last second when the session is still
        valid. If a session is restored, and __expires is less than the
        current time, the session is deleted.

    __updated
        The last time a session was saved. This is the value of
        "$c->{session}{__expires} - $c->config->{session}{expires}".

    __created
        The time when the session was first created.

    __address
        The value of "$c->request->address" at the time the session was
        created. This value is only populated of "verify_address" is true in
        the configuration.

CAVEATS
    "verify_address" could make your site inaccessible to users who are
    behind load balanced proxies. Some ISPs may give a different IP to each
    request by the same client due to this type of proxying. If addresses
    are verified these users' sessions cannot persist.

    To let these users access your site you can either disable address
    verification as a whole, or provide a checkbox in the login dialog that
    tells the server that it's OK for the address of the client to change.
    When the server sees that this box is checked it should delete the
    "__address" sepcial key from the session hash when the hash is first
    created.

AUTHORS
    Andy Grundman Christian Hansen Yuval Kogman, "nothingmuch@woobling.org"
    Sebastian Riedel

COPYRIGHT & LICNESE
            Copyright (c) 2005 the aforementioned authors. All rights
            reserved. This program is free software; you can redistribute
            it and/or modify it under the same terms as Perl itself.

