http://www.perlmonks.org?node_id=451131


in reply to CGI::Session, taint mode, and tainted session file input data

That is, somehow untainting the session data string read from a file (or database record for that matter), before CGI::Session then uses thaw() to recreate the session hash?

If you get your session data from a db server (via DBI) you don't need to untaint them (unless you've set the TaintOut or Taint DBI attributes and you run your program in taint mode -- both these attributes default to off, even if perl is in taint mode).
Therefore switching from the file backend to a DBI backend (natively supported by CGI::Session for SQLite, MySQL and PostgreSQL) for your session data, can be a workaround (provided that you can trust your db of course).

Ciao,
Emanuele.