Releases: psr7-sessions/storageless
8.0.0
Release 8.0.0
This is a major release and breaks backwards compatibility.
Specifically, following changes are relevant:
[BC] REMOVED: Constant PSR7Sessions\Storageless\Http\SessionMiddleware::ISSUED_AT_CLAIM was removed
[BC] REMOVED: Method PSR7Sessions\Storageless\Http\SessionMiddleware::fromAsymmetricKeyDefaults() was removed
[BC] CHANGED: The parameter $signer of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from Lcobucci\JWT\Signer to a non-contravariant Lcobucci\JWT\Configuration
[BC] CHANGED: The parameter $signatureKey of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from string to a non-contravariant Dflydev\FigCookies\SetCookie
[BC] CHANGED: The parameter $verificationKey of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from string to a non-contravariant int
[BC] CHANGED: The parameter $defaultCookie of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from Dflydev\FigCookies\SetCookie to a non-contravariant Lcobucci\Clock\Clock
[BC] CHANGED: The parameter $tokenParser of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from Lcobucci\JWT\Parser to a non-contravariant int
[BC] CHANGED: The parameter $symmetricKey of PSR7Sessions\Storageless\Http\SessionMiddleware::fromSymmetricKeyDefaults() changed from string to a non-contravariant Lcobucci\JWT\Signer\Key
8.0.0
- Total issues resolved: 0
- Total pull requests resolved: 2
- Total contributors: 2
dependencies
BC break,dependencies,enhancement
7.3.0
Release 7.3.0
7.3.0
- Total issues resolved: 0
- Total pull requests resolved: 2
- Total contributors: 2
bug,enhancement
- 152: Backport jwt:4 adaptations and plus operator over numeric-key arrays bugfix thanks to @Slamdunk
documentation,enhancement
7.2.0
Release 7.2.0
7.2.0
- Total issues resolved: 0
- Total pull requests resolved: 1
- Total contributors: 1
dependencies,enhancement
7.1.0
Release 7.1.0
7.1.0
- Total issues resolved: 1
- Total pull requests resolved: 7
- Total contributors: 2
dependencies,enhancement
- 136: Configure automatic releases secrets thanks to @Ocramius
- 134: Github actions, dependency upgrades, switching to psalm with
totallyTyped="true"thanks to @Ocramius
dependencies,duplicate
- 133: Update laminas/laminas-diactoros requirement from ^2.2.3 to ^2.3.1 thanks to @dependabot-preview[bot]
- 132: Update phpunit/phpunit requirement from ^9.0.2 to ^9.2.6 thanks to @dependabot-preview[bot]
- 130: Update laminas/laminas-httphandlerrunner requirement from ^1.1.0 to ^1.2.0 thanks to @dependabot-preview[bot]
- 129: Update infection/infection requirement from ^0.16.1 to ^0.16.4 thanks to @dependabot-preview[bot]
- 126: Update lcobucci/jwt requirement from ^3.3.1 to ^3.3.2 thanks to @dependabot-preview[bot]
- 122: Update squizlabs/php_codesniffer requirement from ^3.5.4 to ^3.5.5 thanks to @dependabot-preview[bot]
7.0.0
This release renames the default session cookie to add a __Secure- prefix, which, in compliant user agents, means that the cookie will be rejected when used in insecure contexts (such as HTTPS to HTTP downgrade).
This change is a major BC break, since upgrading the library will now lead to active sessions being dropped when deploying an application with this new version.
References:
- https://scotthelme.co.uk/tough-cookies/
- https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
Total issues resolved: 3
6.0.0
This release migrates the library from zendframework/* components
to mezzio/* and laminas/* components.
Since the inherited symbols changed namespace completely, this had
to be done in a new major release.
Total issues resolved: 24
- 90: Update infection/infection requirement from ^0.13.4 to ^0.13.6 thanks to @dependabot-preview[bot]
- 91: Update phpunit/phpunit requirement from ^8.3.3 to ^8.3.4 thanks to @dependabot-preview[bot]
- 92: Update phpstan/phpstan requirement from ^0.11.12 to ^0.11.15 thanks to @dependabot-preview[bot]
- 93: Update squizlabs/php_codesniffer requirement from ^3.4.2 to ^3.5.0 thanks to @dependabot-preview[bot]
- 94: Update phpunit/phpunit requirement from ^8.3.4 to ^8.3.5 thanks to @dependabot-preview[bot]
- 95: Update phpstan/phpstan requirement from ^0.11.15 to ^0.11.16 thanks to @dependabot-preview[bot]
- 96: Update squizlabs/php_codesniffer requirement from ^3.4.2 to ^3.5.2 thanks to @dependabot-preview[bot]
- 97: Update phpunit/phpunit requirement from ^8.3.4 to ^8.4.3 thanks to @dependabot-preview[bot]
- 98: Update zendframework/zend-diactoros requirement from ^2.1.3 to ^2.2.1 thanks to @dependabot-preview[bot]
- 99: Update phpstan/phpstan requirement from ^0.11.15 to ^0.11.19 thanks to @dependabot-preview[bot]
- 100: Update squizlabs/php_codesniffer requirement from ^3.4.2 to ^3.5.3 thanks to @dependabot-preview[bot]
- 101: Update doctrine/coding-standard requirement from ^6.0.0 to ^7.0.2 thanks to @dependabot-preview[bot]
- 102: Update phpunit/phpunit requirement from ^8.3.4 to ^8.5.1 thanks to @dependabot-preview[bot]
- 103: Update phpunit/phpunit requirement from ^8.3.4 to ^8.5.2 thanks to @dependabot-preview[bot]
- 104: Replace
zendframework/withlaminas/thanks to @Ocramius - 105: Run coverage when on PHP 7.4 thanks to @Ocramius
- 106: Run scrutinizer-ci with PHP 7.4.0 thanks to @Ocramius
- 108: Update infection/infection requirement from ^0.13.6 to ^0.15.0 thanks to @dependabot-preview[bot]
- 109: Update squizlabs/php_codesniffer requirement from ^3.5.3 to ^3.5.4 thanks to @dependabot-preview[bot]
- 110: Update dflydev/fig-cookies requirement from ^2.0.0 to ^2.0.1 thanks to @dependabot-preview[bot]
- 111: Update infection/infection requirement from ^0.13.6 to ^0.15.3 thanks to @dependabot-preview[bot]
- 112: Update lcobucci/clock requirement from ^1.2.0 to ^1.3.0 thanks to @dependabot-preview[bot]
- 113: Fix #104: upgraded from
zendframework/*tomezzio/*andlaminas/*components thanks to @Ocramius - 114: Update phpunit/phpunit requirement from ^8.5.2 to ^9.0.1 thanks to @dependabot-preview[bot]
5.1.0
This release upgrades the codebase to latest dependencies, introducing
testing for PHP 7.3, and hardening the test suite and code style.
Total issues resolved: 8
- 81: Upgrade to
infection/infection0.10 thanks to @Ocramius - 83: Update squizlabs/php_codesniffer requirement from ^3.3.1 to ^3.4.2 thanks to @dependabot-preview[bot]
- 84: Update phpunit/phpunit requirement from ^7.3.1 to ^8.3.3 thanks to @dependabot-preview[bot]
- 85: Update psr/http-server-handler requirement from ^1.0.0 to ^1.0.1 thanks to @dependabot-preview[bot]
- 86: Update lcobucci/jwt requirement from ^3.2.4 to ^3.3.1 thanks to @dependabot-preview[bot]
- 87: Update psr/http-server-middleware requirement from ^1.0.0 to ^1.0.1 thanks to @dependabot-preview[bot]
- 88: Upgraded to
doctrine/coding-standard6.0 thanks to @Ocramius - 89: Test against PHP 7.3, skip PHP nightly thanks to @Ocramius
5.0.0
This release improves the security of the library by preventing most session-related
CSRF attacks on unsafe HTTP methods (such as POST, PUT, etc.) by introducing a
SameSite=Lax cookie policy when using the PSR7Sessions\Storageless\Http\SessionMiddleware
defaults.
The addition of SameSite=Lax counts as a BC break, since cross-domain POST requests will no
longer transmit the session cookie: if you rely on that, be sure to customise the
SessionMiddleware constructor parameters with your own cookie blueprint.
In addition to these changes, following has been introduced:
- The minimum supported PHP version is now 7.2.0
- Static analysis was added to the build pipeline
- Test suite and mutation test suite were upgraded
4.0.0
This release aligns the PSR7Sessions\Storageless\Http\SessionMiddleware to
the PSR-15 php-fig/http-server-middleware
specification.
This means that the signature of PSR7Sessions\Storageless\Http\SessionMiddleware
changed, and therefore you need to look for usages of this class and verify
if the new signature is compatible with your API
Specifically, PSR7Sessions\Storageless\Http\SessionMiddleware#__invoke()
was removed.
3.0.1
This release fixes an issue that prevented effective lazy-loading of the
session object. Specifically, crypto functionality was being started at
each request dispatch, while it is not needed every time.
Total issues resolved: 2