Cookie使ったセッション管理でID固定化を防ぐには

session_test.pl

use strict;
use warnings;

use Plack::Builder;
use Plack::Session;
use Plack::Session::State::Cookie;
use Plack::Session::Store::Cache;
use Cache::Memcached::IronPlate;
use Cache::Memcached::Fast;

use Text::Xslate qw(html_builder);
use Text::Markdown;
use Data::Section::Simple;
use Data::Dumper;

my $user_data = {
    1 => {
        name => "user1",
        password => "pass1",
    },
    2 => {
        name => "user2",
        password => "pass2",
    },
};
my $user_index = {
    "user1" => 1,
    "user2" => 2,
};

my $app = sub {
    my $env = shift;
    my $req = Plack::Request->new($env);
    my $tx = Text::Xslate->new(
        path => [
            Data::Section::Simple->new()->get_data_section(),
        ],
        function => {
            md => html_builder {
                Text::Markdown::markdown(shift);
            },
        },
    );

    if ($req->path_info eq '/') {
        my $session = Plack::Session->new($req->env);
        my $arg = {
            session_id => $session->id,
            is_verified => $session->get('verified'),
            user_name => $user_data->{$session->get('user_id')}->{'name'},
        };

        my $res = $req->new_response(200);
        $res->content_type('text/html');
        $res->body($tx->render('index.tx', $arg));
        $res->finalize;

    } elsif ($req->path_info eq '/login') {
        my $session = Plack::Session->new($req->env);
        my $arg = {
            session_id => $session->id,
            name => $req->param('name'),
            password => $req->param('password'),
        };

        if ($user_data->{$user_index->{$req->param('name')}}->{'password'} eq $req->param("password")) {
            $req->session_options->{change_id}++;
            $session->set('verified', 1);
            $session->set('user_id', $user_index->{$req->param("name")});
            $arg->{'is_collect'} = 1;
        }

        my $res = $req->new_response(200);
        $res->content_type('text/html');
        $res->body($tx->render('login.tx', $arg));
        $res->finalize;

    } elsif ($req->path_info eq '/logout') {
        my $session = Plack::Session->new($req->env);
        my $arg = {
            session_id => $session->id,
        };
        $session->expire;

        my $res = $req->new_response(200);
        $res->content_type('text/html');
        $res->body($tx->render('logout.tx', $arg));
        $res->finalize;

    } else {
        my $res = $req->new_response(404);
        $res->body("Not Found");
        $res->finalize;
    }

};

builder {
    enable 'Debug';
    enable 'Session',
        store => Plack::Session::Store::Cache->new(
            cache => Cache::Memcached::IronPlate->new(
                cache => Cache::Memcached::Fast->new({
                    servers => [{address => 'localhost:11211'}],
                }),
            ),
        ),
        state => Plack::Session::State::Cookie->new(
            session_key => 'sid',
#            httponly => 1,
        );
    $app;
};

__DATA__
@@ base.tx
<html>
<head><title>Session Test</title></head>
<body>
<: "
## Session ID
- HTTP request
    - sid=" ~ $session_id ~ "
- cookie
    - <script>document.write(document.cookie);</script>
" | md :>
<: block body {} :>
<: "
## Link
- [top](http://localhost:5000/)
- [login user1](http://localhost:5000/login?name=user1&password=pass1)
- [login_user2](http://localhost:5000/login?name=user2&password=pass2)
- [logout](http://localhost:5000/logout)
" | md :>
</body>
</html>

@@ index.tx
: cascade base;
: override body -> {
<: "## Verified ?" | md :>
: if $is_verified == true {
verified <: $user_name :>
: }
: else {
not verified
: }
: }

@@ login.tx
: cascade base;
: override body -> {
<: "
## Request Param
- name
    - " ~ $name ~ "
- password
    - " ~ $password ~ "
" | md :>
<: "## Collect ?" | md :>
: if $is_collect == true {
collect
: }
: else {
incollect
: }
: }

@@ logout.tx
: cascade base;