Checking in changes prior to tagging of version 0.14.

[catagits/Web-Session.git] / lib / Plack / Session / State.pm

diff --git a/lib/Plack/Session/State.pm b/lib/Plack/Session/State.pm
index c89d58c..ed470d1 100644 (file)
--- a/lib/Plack/Session/State.pm
+++ b/lib/Plack/Session/State.pm
@@ -2,7 +2,7 @@ package Plack::Session::State;
 use strict;
 use warnings;
 
-our $VERSION   = '0.11';
+our $VERSION   = '0.14';
 our $AUTHORITY = 'cpan:STEVAN';
 
 use Digest::SHA1 ();
@@ -98,6 +98,15 @@ all B<Plack::Session::State::*> modules. You will only
 need to override a couple methods if you do subclass. See
 L<Plack::Session::State::Cookie> for an example of this.
 
+B<WARNING>: parameter based session ID management makes session
+fixation really easy, and that makes your website vulnerable. You
+should really avoid using this state in the production environment
+except when you have to deal with legacy HTTP clients that do not
+support cookies.
+
+In the future this parameter based state handling will be removed from
+this base class and will be moved to its own State class.
+
 =head1 METHODS
 
 =over 4
@@ -109,7 +118,7 @@ however in both cases a default will be provided for you.
 
 =item B<session_key>
 
-This is the name of the session key, it default to 'plack_session'.
+This is the name of the session key, it defaults to 'plack_session'.
 
 =item B<sid_generator>
 
@@ -155,7 +164,7 @@ instance or an object with an equivalent interface.
 =item B<finalize ( $session_id, $response )>
 
 Given a C<$session_id> and a C<$response> this will perform any
-finalization nessecary to preserve state. This method is called by
+finalization necessary to preserve state. This method is called by
 the L<Plack::Session> C<finalize> method. The C<$response> is expected
 to be a L<Plack::Response> instance or an object with an equivalent
 interface.