Skip to content

Latest commit

 

History

History
473 lines (347 loc) · 13.5 KB

Changes.md

File metadata and controls

473 lines (347 loc) · 13.5 KB

Changelog

All notable changes to lua-resty-session will be documented in this file.

[4.0.5] - 2023-08-16

Fixed

  • fix(dshm/memcached): add a missing return parameter as otherwise pool parameters are not respected, fix #171

[4.0.4] - 2023-06-05

Changed

  • chore(utils): remove dependency for lua_pack, fix #158

[4.0.3] - 2023-02-21

Fixed

  • fix(*): redis authorization

[4.0.2] - 2023-02-15

Fixed

  • fix(*): hkdf is not approved by FIPS, use PBKDF2 instead on FIPS-mode

[4.0.1] - 2023-02-05

Fixed

  • fix(session): clear_request cookie to check remember_meta correctly before using it

Added

  • feat(opm): add more dependencies in requires
  • feat(opm): add right version number requirements
  • docs(readme): add remark on dependencies on installation section

[4.0.0] - 2023-02-01

  • Full rewrite of the library, and is not backwards compatible. Refer new documentation on this new library.

[3.10] - 2022-01-14

Fixed

  • 3.9 introduced an issue where calling session:regenerate with flush=true, didn't really flush if the session strategy was regenerate.

[3.9] - 2022-01-14

Fixed

  • Fix #138 issue of chunked cookies are not expired when session shrinks, thanks @alexdowad.
  • Fix #134 where regenerate strategy destroyed previous session when calling session:regenerate, it should just ttl the old session.

Added

  • AES GCM mode support was added to AES cipher. This is recommended, but for backward compatibility it was not set as default. It will be changed in 4.0 release.
  • Redis ACL authentication is now available.
    • Add session_redis_username
    • Add session_redis_password
    • Deprecate session_redis_auth; use session_redis_password

Changed

  • Optimize Redis and Memcache storage adapters to not connect to database when not needed.

[3.8] - 2021-01-04

Added

  • Connection options are now passed to redis cluster client as well.

[3.7] - 2020-10-27

Fixed

  • Fix #107 where session.start could release a lock for a short period

Added

  • Add keep_lock argument to session.open
  • Add pluggable compressors, and implement none and zlib compressor

[3.6] - 2020-06-24

Fixed

  • Fix session:hide() to only send a single Cookie header at most as reported by @jharriman who also provided a fix with #103. Thank you!

[3.5] - 2020-05-22

Fixed

  • Fix session:hide() to not clear non-session request cookies that it seemed to do in some cases as reported by @altexy who also provided initial fix with #100. Thank you!

[3.4] - 2020-05-08

Fixed

  • Fix session_cookie_maxsize - error attempt to compare string with number, fixes #98, thank you @vavra5

Changed

  • More robust and uniform configuration parsing

[3.3] - 2020-05-06

Fixed

  • Fix set_timeouts is only called if all parameters are available, should fix #96, thank you @notdodo.

Added

  • Add $session_memcache_connect_timeout configuration option
  • Add $session_memcache_read_timeout configuration option
  • Add $session_memcache_send_timeout configuration option
  • Add $session_memcache_pool_name configuration option
  • Add $session_memcache_pool_backlog configuration option
  • Add $session_dshm_connect_timeout configuration option
  • Add $session_dshm_read_timeout configuration option
  • Add $session_dshm_send_timeout configuration option
  • Add $session_dshm_pool_name configuration option
  • Add $session_dshm_pool_backlog configuration option

[3.2] - 2020-04-30

Added

  • Support for Redis clusters
  • Add $session_redis_connect_timeout configuration option
  • Add $session_redis_read_timeout configuration option
  • Add $session_redis_send_timeout configuration option
  • Add $session_redis_pool_name configuration option
  • Add $session_redis_pool_backlog configuration option
  • Add $session_redis_cluster_name configuration option
  • Add $session_redis_cluster_dict configuration option
  • Add $session_redis_cluster_maxredirections configuration option
  • Add $session_redis_cluster_nodes configuration option

[3.1] - 2020-03-28

Added

  • A more flexible way to specify custom implementations: require "resty.session".new { storage = require "my.storage" }

[3.0] - 2020-03-27

Fixed

  • Lock releasing is a lot more robust now

Added

Changed

  • The whole codebase was refactored and simplified, especially implementing new storage adapters is now a lot easier
  • Redis and Memcached spinlockwait was changed from microseconds to milliseconds and default is set to 150 milliseconds,
  • Redis and Memcache will only release locks that current session instance holds
  • DSHM session_dshm_store was renamed to session_dshm_region
  • BASE64 encoding now strips the padding

[2.26] - 2020-02-11

Added

  • Add support for SameSite=None (#83) (thanks @bodewig)
  • Style changes (#77) (thanks @Tieske)

[2.25] - 2019-11-06

Added

  • Add SSL support for the Redis storage option (#75) (thanks @tieske)
  • DSHM storage adapter (a distributed SHM storage based on Hazelcast for Nginx) (thanks @grrolland)

[2.24] - 2019-07-09

Fixed

  • Avoid use unix socket and redis password with empty string
  • Provide session id when closing, otherwise the lock is not deleted

Added

  • Added a configuration for session cookie max size (session.cookie.maxsize)

[2.23] - 2018-12-12

Added

  • Added pluggable strategies with default and a new regenerate strategy
  • Added pluggable hmacs
  • Added session.close
  • Added ttl to storages
  • Added session.cookie.discard, a ttl how long to keep old sessions when renewing (used by regenerate strategy

[2.22] - 2018-03-17

Fixed

  • Only sets self.cookie.secure if not defined.

[2.21] - 2018-03-16

Screwed

  • Forgot to bump version number.

[2.20] - 2018-03-16

Fixed

  • Fixes issue where check addr and check scheme could be faked. See also: #47 Thanks @nielsole

[2.19] - 2017-09-19

Fixed

  • Fixes small bug where aes could generate invalid salt on invalid input that further crashes Lua with error: bad argument #2 to 'salt' (number expected, got no value)

[2.18] - 2017-07-10

Fixed

  • Automatically creates exactly 64 bits salt as required by the latest lua-resty-string. See also: #40 Thanks @peturorri

[2.17] - 2017-06-12

Added

  • Added session.hide() function to hide session cookies from upstream on reverse proxy scenarios.

[2.16] - 2017-05-31

Changed

  • Delays setting the defaults until needed, allowing users to safely require "resty.session" in different contexts.

[2.15] - 2017-02-13

Added

  • Added a support for chunked cookies. See also: #35 Thanks @zandbelt

[2.14] - 2016-12-16

Fixed

  • Lua code configuration parsing corrections (especially on boolean options).

Added

  • Added a more natural way to pass config arguments to storage adapters and ciphers in Lua code. See also: #34 Thanks @hanxi

[2.13] - 2016-11-21

Changed

  • On start we do send cookie now also if the settings have changed and the cookie expiry time needs to be reduced.

Fixed

  • Memcache storage adapter had a missing ngx.null.

[2.12] - 2016-11-21

Added

  • Implemented pluggable session identifier generators.
  • Implemented random session idenfier generator.

Changed

  • Now checks if headers were already sent before trying to set the cookie headers.
  • SSL session identifier is not checked by default anymore.
  • Lua session.identifier.length changed to session.random.length.
  • Nginx $session_identifier_length changed to $session_random_length.

[2.11] - 2016-09-30

Changed

  • Just another OPM release to correct the name.

[2.10] - 2016-09-29

Added

  • Support for the official OpenResty package manager (opm).

Changed

  • Changed the change log format to keep-a-changelog.

[2.9] - 2016-09-01

Fixed

  • Bugfix: Weird bug where RAND_bytes was not working on Windows platform. Code changed to use resty.random. See Also: #31 Thanks @gtuxyco

[2.8] - 2016-07-05

Fixed

  • Bugfix: AES Cipher used a wrong table for cipher sizes. See Also: #30 Thanks @pronan

[2.7] - 2016-05-18

Added

  • Redis storage adapter now supports Redis authentication. See Also: #28 Thanks @cheng5533062

[2.6] - 2016-04-18

Changed

  • Just cleanups and changed _VERSION to point correct version.

[2.5] - 2016-04-18

Fixed

  • session.save close argument was not defaulting to true.

[2.4] - 2016-04-17

Added

  • Cookie will now have SameSite attribute set as "Lax" by default. You can turn it off or set to "Strict" by configuration.

Changed

  • Calling save will now also set session.id if the save was called without calling start first. See Also: #27 Thanks @hcaihao

[2.3] - 2015-10-16

Fixed

  • Fixes issue #19 where regenerating session would throw an error when using cookie storage. See Also: #19 Thanks @hulu1522

[2.2] - 2015-09-17

Changed

  • Removed all session_cipher_* deprecated settings (it was somewhat broken in 2.1).
  • Changed session secret to be by default 32 bytes random data See Also: #18 Thanks @iain-buclaw-sociomantic

Added

  • Added documentation about removed features and corrected about session secret size accordingly.

[2.1] - 2015-09-07

Added

  • Added architecture for Cipher adapter plugins. See Also: #16 Thanks @mingfang
  • Implemented AES cipher adapter (just like it was before)
  • Implemented None cipher adapter (no encryption)
  • Added documentation about pluggable ciphers

Changed

  • Changed JSON serializer to use cjson.safe instead

[2.0] - 2015-08-31

Added

  • Added architecture for Storage adapter plugins. See Also: #13
  • Implemented Client Side Cookie storage adapter.
  • Implemented Memcache storage adapter. See Also: #14 Thanks @zandbelt
  • Implemented Redis storage adapter.
  • Implemented Shared Dictionary (shm) storage adapter.
  • Added architecture for Encoder and Decoder plugins.
  • Implemented Base 64 encoder / decoder.
  • Implemented Base 16 (hex) encoder / decoder.
  • Added architecture for Serializer plugins
  • Implemented JSON serializer.
  • Persistent cookies will now also contain Max-Age in addition to Expires.
  • Cookie domain attribute is not set anymore if not specified.
  • Added notes about using lua-resty-session with Lua code cache turned off. See also: #15 Thanks @BizShuk

[1.7] - 2015-08-03

Added

  • Added session.open() function that only opens a session but doesn't send the cookie (until start is called). See also: #12 Thanks @junhanamaki

Fixed

  • Fixed cookie expiration time format on Firefox bug: #10 Thanks @junhanamaki
  • Bugfix: Fixed an issue of overwriting a variable: #11 Thanks @junhanamaki

[1.6] - 2015-05-05

Fixed

  • Fixed truncated cookie value bug: #8 Thanks @kipras

[1.5] - 2014-11-27

Fixed

  • Cookies are not always "secure": #5 Thanks @vladimir-smirnov-sociomantic

Added

  • Added documentation about Nginx SSL/TLS configuration settings related to session lifetime and ssl session ids.

[1.4] - 2014-11-26

Fixed

  • Bugfix: Fixed an issue where session configurations did get cached on a module level. This issue is discussed in pull-request #4: #4 Thanks @kipras.

Added

  • Added session.new function.
  • Added documentation about Nginx configuration used as defaults (not read on every request), and documented session.new.

Changed

  • session.start{ ... } (a call with config parameters) works now as expected.
  • session.start now returns additional extra boolean parameter that can be used to check if the session is s new session (false) or a previously started one (true).

[1.3] - 2014-11-14

Added

  • Added support for persistent sessions. See issue #2.
  • Added session.check.ssi, session.cookie.persistent and the related Nginx configuration variables.
  • Added Max-Age=0 to expiration code.

[1.2] - 2014-10-12

Fixed

  • Changed encode and decode functions to operate with correct number of arguments. See issue #1.

[1.1] - 2014-10-03

Security

  • There was a bug where additional user agent, scheme, and remote addr (disabled by default) was not checked.

Added

  • Added _VERSION field.

Changed

  • Simplied a code a lot (e.g. internal setcookie and getcookie functions are now cleaner). Removed a lot of unneccessary lines from session.start by adding configs directly to session prototype.

[1.0] - 2014-09-24

Added

  • LuaRocks Support via MoonRocks.