Skip to content

Releases: gorilla/sessions

v1.4.0

20 Aug 14:12
Compare
Choose a tag to compare

Summary

There were new features important for compatibility with some of the upcoming cookie security changes with google that required a new Partitioned attribute be added to the cookies, this attribute was only available in go 1.23, which has just recently been released.

If you require a version that is backward compatible with a lower version than go 1.23 then you'll need to use release v1.3.0.

The following notes show the difference between 1.2.2 and the current version because 1.3.0 was a hotfix for go 1.22 and below.

What's Changed

New Contributors

Full Changelog: v1.2.2...v1.4.0

v1.3.0

15 Jun 03:09
Compare
Choose a tag to compare

The maintainers of this repo merged a PR into main with the net/http.Cookie field Partitioned which is a field only available in go 1.23. As a result all usage of the main branch will not work unless users are on 1.23 which at the time of writing is currently unreleased. This broke the install for a number of users so the intent of this release is to push out a couple of features and bugfixes with the go 1.23 specific changes removed.

Releases should be used exclusively until go 1.23 is released.

What's Changed

New Contributors

Full Changelog: v1.2.2...v1.3.0

Release v1.2.2

05 Nov 02:30
3eed1c4
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: v1.2.1...v1.2.2

v1.2.1 ✏️

22 Aug 21:06
61fa50d
Compare
Choose a tag to compare

A minor maintenance release that improves documentation and two new third-party store implementations.

CHANGELOG

v1.2.0 💾

09 Jul 14:15
4355a99
Compare
Choose a tag to compare

This release removes gorilla/context as a dependency. sessions now requires Go 1.7 or greater (released August, 2016), which provides a first-class request context for sessions and reduces user-facing complexity.

CHANGELOG

Bug Fix: SameSite

05 Oct 13:13
Compare
Choose a tag to compare

This release fixes an oversight in how cookie options were copied internally, impacting SameSite cookie settings.

CHANGELOG

  • [docs] Improve advice around key generation & usage. (#168) @elithrar
  • Set http.Cookie's SameSite field in NewCookie for Go 1.11 or later (#170) @nwidger

v1.1.2 - SameSite Cookie Support

03 Sep 15:53
8154739
Compare
Choose a tag to compare

gorilla/sessions now supports the SameSite cookie attribute added in Go 1.11.

Cookies with this set (in Strict mode, preferably) are only sent on requests originating from the same origin at as the cookie domain, rather than for all requests to that domain no matter the origin.

You can set SameSite on a session by setting session.Options.SameSite to a valid value:

func MyHandler(w http.ResponseWriter, r *http.Request) {
	session, err := store.Get(r, "session-name")
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	// Set the SameSite mode via one of the typed constants described
	// at https://golang.org/pkg/net/http/#SameSite
	session.Options = &sessions.Options{SameSite: http.SameSiteStrictMode}

	if err := session.Save(r, w); err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}
}

You can read more about the SameSite attribute on Mozilla's blog, or inthe RFC itself.

CHANGELOG

v1.1.1

06 Jun 18:07
Compare
Choose a tag to compare

Versioning v1.1.1 to correctly comply with SemVer.

CHANGELOG
03b6f63 Add AUTHORS file; update LICENSE (#158)
9ee0d62 [build] Update deps to correct SemVer tags (#153)
a2f2a3d replacing travis badge with scaling svg (#147)
92b749d Add link to XORM store implementation (#149)
7910f5b Added description about Max-Age field in Options (#148)
7087b4d Add go.mod file for vgo dependency management. (#145)
6ba88b7 Prevent panic in NewSession function (#140)
41ee504 Add link to memstore implementation (#143)
fe21b6a Update doc.go (#127)
a3acf13 Add missing error check (#123)

v1.1

23 Sep 05:40
Compare
Choose a tag to compare
  • gorilla/sessions has long needed an official release (although, strict version tags were less useful prior to vendoring tools)
  • This version is the last version that supports gorilla/context going forward due to the incompability between its global map of *http.Requests and Go 1.7's new http.Request.WithContext(). The shallow copy of the request changes the address, causing gorilla/context's map to point to the old request.