Checking in changes prior to tagging of version 0.14.

[catagits/Web-Session.git] / lib / Plack / Session / State.pm

diff --git a/lib/Plack/Session/State.pm b/lib/Plack/Session/State.pm
index 5377b93..ed470d1 100644 (file)
--- a/lib/Plack/Session/State.pm
+++ b/lib/Plack/Session/State.pm
@@ -2,7 +2,7 @@ package Plack::Session::State;
 use strict;
 use warnings;
 
-our $VERSION   = '0.12';
+our $VERSION   = '0.14';
 our $AUTHORITY = 'cpan:STEVAN';
 
 use Digest::SHA1 ();
@@ -98,6 +98,15 @@ all B<Plack::Session::State::*> modules. You will only
 need to override a couple methods if you do subclass. See
 L<Plack::Session::State::Cookie> for an example of this.
 
+B<WARNING>: parameter based session ID management makes session
+fixation really easy, and that makes your website vulnerable. You
+should really avoid using this state in the production environment
+except when you have to deal with legacy HTTP clients that do not
+support cookies.
+
+In the future this parameter based state handling will be removed from
+this base class and will be moved to its own State class.
+
 =head1 METHODS
 
 =over 4