All notable changes to lua-resty-session
will be documented in this file.
- fix(dshm/memcached): add a missing return parameter as otherwise pool parameters are not respected, fix #171
- chore(utils): remove dependency for lua_pack, fix #158
- fix(*): redis authorization
- fix(*): hkdf is not approved by FIPS, use PBKDF2 instead on FIPS-mode
- fix(session): clear_request cookie to check remember_meta correctly before using it
- feat(opm): add more dependencies in requires
- feat(opm): add right version number requirements
- docs(readme): add remark on dependencies on installation section
- Full rewrite of the library, and is not backwards compatible. Refer new documentation on this new library.
- 3.9 introduced an issue where calling session:regenerate with flush=true,
didn't really flush if the session strategy was
regenerate
.
- Fix #138 issue of chunked cookies are not expired when session shrinks, thanks @alexdowad.
- Fix #134 where regenerate strategy destroyed previous session when calling
session:regenerate
, it should justttl
the old session.
- AES GCM mode support was added to AES cipher. This is recommended, but for backward compatibility it was not set as default. It will be changed in 4.0 release.
- Redis ACL authentication is now available.
- Add
session_redis_username
- Add
session_redis_password
- Deprecate
session_redis_auth
; usesession_redis_password
- Add
- Optimize Redis and Memcache storage adapters to not connect to database when not needed.
- Connection options are now passed to
redis cluster client
as well.
- Fix #107 where
session.start
could release a lock for a short period
- Add
keep_lock
argument tosession.open
- Add pluggable compressors, and implement
none
andzlib
compressor
- Fix
session:hide()
to only send a singleCookie
header at most as reported by @jharriman who also provided a fix with #103. Thank you!
- Fix
session:hide()
to not clear non-session request cookies that it seemed to do in some cases as reported by @altexy who also provided initial fix with #100. Thank you!
- Fix session_cookie_maxsize - error attempt to compare string with number, fixes #98, thank you @vavra5
- More robust and uniform configuration parsing
- Fix
set_timeouts
is only called if all parameters are available, should fix #96, thank you @notdodo.
- Add
$session_memcache_connect_timeout
configuration option - Add
$session_memcache_read_timeout
configuration option - Add
$session_memcache_send_timeout
configuration option - Add
$session_memcache_pool_name
configuration option - Add
$session_memcache_pool_backlog
configuration option - Add
$session_dshm_connect_timeout
configuration option - Add
$session_dshm_read_timeout
configuration option - Add
$session_dshm_send_timeout
configuration option - Add
$session_dshm_pool_name
configuration option - Add
$session_dshm_pool_backlog
configuration option
- Support for Redis clusters
- Add
$session_redis_connect_timeout
configuration option - Add
$session_redis_read_timeout
configuration option - Add
$session_redis_send_timeout
configuration option - Add
$session_redis_pool_name
configuration option - Add
$session_redis_pool_backlog
configuration option - Add
$session_redis_cluster_name
configuration option - Add
$session_redis_cluster_dict
configuration option - Add
$session_redis_cluster_maxredirections
configuration option - Add
$session_redis_cluster_nodes
configuration option
- A more flexible way to specify custom implementations:
require "resty.session".new { storage = require "my.storage" }
- Lock releasing is a lot more robust now
- Add idletime setting (thanks @Tieske), see
session.cookie.idletime
- Add support for Cookie prefixes
__Host-
and__Secure-
on Cookie name (see: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3)
- The whole codebase was refactored and simplified, especially implementing new storage adapters is now a lot easier
- Redis and Memcached
spinlockwait
was changed from microseconds to milliseconds and default is set to150
milliseconds, - Redis and Memcache will only release locks that current session instance holds
- DSHM
session_dshm_store
was renamed tosession_dshm_region
- BASE64 encoding now strips the padding
- Add support for
SameSite=None
(#83) (thanks @bodewig) - Style changes (#77) (thanks @Tieske)
- Add SSL support for the Redis storage option (#75) (thanks @tieske)
- DSHM storage adapter (a distributed SHM storage based on Hazelcast for Nginx) (thanks @grrolland)
- Avoid use unix socket and redis password with empty string
- Provide session id when closing, otherwise the lock is not deleted
- Added a configuration for session cookie max size (
session.cookie.maxsize
)
- Added pluggable strategies with
default
and a newregenerate
strategy - Added pluggable
hmac
s - Added
session.close
- Added
ttl
tostorages
- Added
session.cookie.discard
, attl
how long to keep old sessions when renewing (used byregenerate
strategy
- Only sets self.cookie.secure if not defined.
- Forgot to bump version number.
- Fixes issue where check addr and check scheme could be faked. See also: #47 Thanks @nielsole
- Fixes small bug where aes could generate invalid salt on invalid input that further crashes Lua with error: bad argument #2 to 'salt' (number expected, got no value)
- Automatically creates exactly 64 bits salt as required by the latest lua-resty-string. See also: #40 Thanks @peturorri
- Added session.hide() function to hide session cookies from upstream on reverse proxy scenarios.
- Delays setting the defaults until needed, allowing users to safely require "resty.session" in different contexts.
- Added a support for chunked cookies. See also: #35 Thanks @zandbelt
- Lua code configuration parsing corrections (especially on boolean options).
- Added a more natural way to pass config arguments to storage adapters and ciphers in Lua code. See also: #34 Thanks @hanxi
- On start we do send cookie now also if the settings have changed and the cookie expiry time needs to be reduced.
- Memcache storage adapter had a missing ngx.null.
- Implemented pluggable session identifier generators.
- Implemented random session idenfier generator.
- Now checks if headers were already sent before trying to set the cookie headers.
- SSL session identifier is not checked by default anymore.
- Lua session.identifier.length changed to session.random.length.
- Nginx $session_identifier_length changed to $session_random_length.
- Just another OPM release to correct the name.
- Support for the official OpenResty package manager (opm).
- Changed the change log format to keep-a-changelog.
- Bugfix: Weird bug where RAND_bytes was not working on Windows platform. Code changed to use resty.random. See Also: #31 Thanks @gtuxyco
- Bugfix: AES Cipher used a wrong table for cipher sizes. See Also: #30 Thanks @pronan
- Redis storage adapter now supports Redis authentication. See Also: #28 Thanks @cheng5533062
- Just cleanups and changed _VERSION to point correct version.
- session.save close argument was not defaulting to true.
- Cookie will now have SameSite attribute set as "Lax" by default. You can turn it off or set to "Strict" by configuration.
- Calling save will now also set session.id if the save was called without calling start first. See Also: #27 Thanks @hcaihao
- Fixes issue #19 where regenerating session would throw an error when using cookie storage. See Also: #19 Thanks @hulu1522
- Removed all session_cipher_* deprecated settings (it was somewhat broken in 2.1).
- Changed session secret to be by default 32 bytes random data See Also: #18 Thanks @iain-buclaw-sociomantic
- Added documentation about removed features and corrected about session secret size accordingly.
- Added architecture for Cipher adapter plugins. See Also: #16 Thanks @mingfang
- Implemented AES cipher adapter (just like it was before)
- Implemented None cipher adapter (no encryption)
- Added documentation about pluggable ciphers
- Changed JSON serializer to use cjson.safe instead
- Added architecture for Storage adapter plugins. See Also: #13
- Implemented Client Side Cookie storage adapter.
- Implemented Memcache storage adapter. See Also: #14 Thanks @zandbelt
- Implemented Redis storage adapter.
- Implemented Shared Dictionary (shm) storage adapter.
- Added architecture for Encoder and Decoder plugins.
- Implemented Base 64 encoder / decoder.
- Implemented Base 16 (hex) encoder / decoder.
- Added architecture for Serializer plugins
- Implemented JSON serializer.
- Persistent cookies will now also contain Max-Age in addition to Expires.
- Cookie domain attribute is not set anymore if not specified.
- Added notes about using lua-resty-session with Lua code cache turned off. See also: #15 Thanks @BizShuk
- Added session.open() function that only opens a session but doesn't send the cookie (until start is called). See also: #12 Thanks @junhanamaki
- Fixed cookie expiration time format on Firefox bug: #10 Thanks @junhanamaki
- Bugfix: Fixed an issue of overwriting a variable: #11 Thanks @junhanamaki
- Fixed truncated cookie value bug: #8 Thanks @kipras
- Cookies are not always "secure": #5 Thanks @vladimir-smirnov-sociomantic
- Added documentation about Nginx SSL/TLS configuration settings related to session lifetime and ssl session ids.
- Bugfix: Fixed an issue where session configurations did get cached on a module level. This issue is discussed in pull-request #4: #4 Thanks @kipras.
- Added session.new function.
- Added documentation about Nginx configuration used as defaults (not read on every request), and documented session.new.
- session.start{ ... } (a call with config parameters) works now as expected.
- session.start now returns additional extra boolean parameter that can be used to check if the session is s new session (false) or a previously started one (true).
- Added support for persistent sessions. See issue #2.
- Added session.check.ssi, session.cookie.persistent and the related Nginx configuration variables.
- Added Max-Age=0 to expiration code.
- Changed encode and decode functions to operate with correct number of arguments. See issue #1.
- There was a bug where additional user agent, scheme, and remote addr (disabled by default) was not checked.
- Added _VERSION field.
- Simplied a code a lot (e.g. internal setcookie and getcookie functions are now cleaner). Removed a lot of unneccessary lines from session.start by adding configs directly to session prototype.
- LuaRocks Support via MoonRocks.