CGI::Session Change Log
=====================================================================
4.14 - Sunday, June 11, 2006
* NEW: The find() command now has better documentation. (Ron Savage, Matt LeBlanc)
* FIX: find() no longer changes the access or modified times (RT#18442) (Matt LeBlanc)
* FIX: param() called with two parameters now returns the value set, if any (RT#18912) (Matt LeBlanc)
* FIX: driver, serializer, and id generator names are now untainted (RT#18873) (Matt LeBlanc)
* INTERNAL: automatic flushing has been documented to be unreliable, although
it was recommended in the past. Automatic flushing can be affected adversely
in persistent environments and in some cases by third party software. There are
also some cases in which flushing happened automatically in 3.x, but quit working
with 4.x. See these tickets for details.
http://rt.cpan.org/Ticket/Display.html?id=17541
http://rt.cpan.org/Ticket/Display.html?id=17299
4.13 - Wednesday, April 12, 2006
* FIX: Applied patch to fix cookie method (RT#18493,Nobuaki ITO)
* FIX: Berkeley DB 1.x exhibits a bug when used in conjunction with O_NOFOLLOW. Because of this,
we've removed it from the db_file driver. It will still attempt to stop symlinks but the
open itself has dropped the flag. (Matt LeBlanc)
* FIX: json and yaml db_file tests now check for the presence of DB_File. (Matt LeBlanc)
4.12 - Friday, April 7, 2006
* SECURITY: Fix possible SQL injection attack. (RT#18578, DMUEY)
4.11 - Friday, March 31, 2006
* FIX: Since 4.10, using name() as a class method was broken. This has
been fixed, and regression tests for both uses have been added. (Matt LeBlanc)
4.10 - Tuesday, March 28, 2006
* SECURITY: Hopefully this settles all of the problems with symlinks. Both the file
and db_file drivers now use O_NOFOLLOW with open when the file should exist and
O_EXCL|O_CREAT when creating the file. Tests added for symlinks. (Matt LeBlanc)
* SECURITY: sqlite driver no longer attempts to use /tmp/sessions.sqlt when no
Handle or DataSource is specified. This was a mistake from a security standpoint
as anyone on the machine would then be able to create and therefore insert data
into your sessions. (Matt LeBlanc)
* NEW: name is now an instance method (RT#17979) (Matt LeBlanc)
4.09 - Friday, March 16th, 2006
* SECURITY: Applying security patch from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555 (Julien Danjou)
4.08 - Thursday, March 15th, 2006
* FIX: DESTROY was sometimes wiping out exception handling. RT#18183, Matt LeBlanc.
* SECURITY: Resolve some issues in: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555
- db_file and file now check for symlinks either explicitly or by using O_EXCL on sysopen
- file creation umask defaults to 660
* NEW: db_file and file drivers now accepts a UMask option. (Matt LeBlanc)
* INTERNAL: test suite clean up (Tyler MacDonald)
4.07 - Thursday, March 9th, 2006
* INTERNAL: MANIFEST update to fix release.
4.06 - Wednesday, March 3rd, 2006
* INTERNAL: MANIFEST update to fix release.
4.06 - Wednesday, March 8th, 2006
* FIX: some stray warnings when flushing: "Use of uninitialized value in numeric eq (==)" (RT#14603)
* NEW: JSON and YAML serializers (Tyler MacDonald)
* INTERNAL: CGI::Session::Test::Default accepts a "skip" argument,
listing tests that should be skipped. (Tyler)
4.05 - Friday, March 3rd, 2006
* FIX: Race condition fixed when writing to session files (RT#17949)
4.04 - Wednesday, March 01, 2006
* NEW: File driver now has option to disable flock (for those running
Win 9x, VMS, MacPerl, VOS and RISC OS). (Matt LeBlanc)
* FIX: If DBI driver was initialized using 'Handle', Driver::DBI::init()
returned false, and Driver::new() thought init faild and kept returning
undef. The problem was fixed by making sure Driver::DBI::init() returned
true. (Sherzod)
* Added .*cgisess.* to disclude cgisess.db, cgisess.id, and any session
files created in the t directory. (Matt LeBlanc)
* FIX: File driver now respects $CGI::Session::File::FileName for 3.9x
compatibility. (Matt LeBlanc)
* FIX: Default serializer now properly handles data structures that appear
more than once in the serialized data structure (before it'd result in data
structures that were equivalent but did not have the same address). (Matt LeBlanc)
* FIX: File driver now localizes the filehandle to avoid any possibility
of extended locking in persistent environments (Matt LeBlanc)
* FIX: File driver now locks the file when retrieving the session data (Matt LeBlanc)
* NEW: DBI Drivers now support a lazy loaded database handle. This is useful with the
CGI::Application plugin system. If the session is never used, the database handle may not
not need to be created. The syntax is to use a code ref:
Handle => sub {DBI->connect} (Mark Stosberg)
Finally, be aware that since 4.0 some people have reported problems with
the auto-flushing code. There may be an unresolved. You always call
flush() to be safe. Input or code contributions for the issue are
appreciated. Some related tickets include:
http://rt.cpan.org/Public/Bug/Display.html?id=14604
http://rt.cpan.org/Public/Bug/Display.html?id=16861
http://rt.cpan.org/Public/Bug/Display.html?id=17541
http://rt.cpan.org/Public/Bug/Display.html?id=17299
4.03 - Wednesday, October 05, 2005
* FIX: automatic flushing did not work if session object was global
* FIX: Default serializer can now serialize objects (Matt LeBlanc)
* INTERNAL: SQLite driver no longer needs MIME::Base64 for encoding (Matt LeBlanc)
4.02 - Friday, September 02, 2005
* FIX: remote_addr() was missing (RT #14414])
4.01 - Thursday, September 01, 2005
* FIX: Minor POD fix
4.00 - Wednesday, August 31, 2005
*** NOTE ***
The 4.0 release represents a major overhaul of the CGI::Session code base.
Care has been taken to be 100% compatible with applications developed with 3.x.
However, you are encouraged to run regression tests with your own applications
before using this in production.
* NEW: PostgreSQL driver enhanced to work better with binary serializers (Matt LeBlanc)
* FIX: update to un tainting in default serializer to make "-T" happy (Matt LeBlanc)
* FIX: CGI::Session (qw/-ip_match/), a 3.x feature, works again (Shawn Sorichetti)
* INTERNAL: Improved documentation shown during "make", which explains how to run
database-driven tests. (Mark Stosberg)
* FIX: to support binary serializers SQLite driver uses MIME::Base64 (Sherzod Ruzmetov)
4.00_09 - Thursday, July 21, 2005
* CHANGE: Starting with 4.0, it will no longer work to use the syntax of
CGI::Session::DriverName(). This hasn't been a documented API since CGI::Session 2.94,
released in August, 2002.
* FIX: documented etime(), which was present in 3.x (Mark Stosberg)
* FIX: Added code, test and docs to make $CGI::Session::File::FileName work,
for 3.x compatibility. (Mark Stosberg)
* FIX: Providing an expire time like "-10" now works (Mark Stosberg)
* FIX: Restored close() method, for 3.x compatibility. (Mark Stosberg)
* FIX: Make ->clear('email') work, for 3.95 compatibility (Mark Stosberg)
* FIX: Added back is_new() for compatibility with 3.95. (Mark Stosberg)
* FIX: Support for CGI::Simple is confirmed, resolving RT#6141 (Mark Stosberg)
* FIX: Add code and tests for $CGI::Session::MySQL::TABLE_NAME, which worked in 3.x (Mark Stosberg)
* DOCS: CGI::Session now has a public Subversion repository, thanks to Jason Crome.
See the bottom of the CGI::Session docs for details.
4.00_08 - Tuesday, March 15, 2005
* FIX: Changes made in 4.00_07 rolled back
4.00_07 - Sunday, March 13, 2005
* FIX: overloaded objects are now stored properly
4.00_06 - Thursday, February 24, 2005
* FIX (?): a test script was failing on Win32
* FIX: inaccurate error reporting in load()
4.00_05 - Tuesday, February 22, 2005
* FIX: case insensitivity was not enforced properly in CGI::Session::parse_dsn()
4.00_04 - Wednesday, February 16, 2005
* FIX: Minor fix in tests suits and error-checking routines of
serializers and id-generators
4.00_03 - Friday, February 11, 2005
* NEW: CGI::Session::find() introduced
* NEW: traverse() introduced into drivers to support CGI::Session::find()
* DOCS: More complete driver specs documented
4.00_02 - Wednesday, February 09, 2005
* FIX: race conditions in Driver/file.pm pointed out by Martin Bartosch
4.00_01 - Wednesday, February 09, 2005
* NEW: load() - constructor method to prevent unnecessary session creations
* NEW: is_expired() - method to intercept expired sessions
* NEW: is_empty() - to intercept requests for un existing sessions
* NEW: more optimized source code
* NEW: updated and improved driver specs
* NEW: standard testing framework
* NEW: 'sqlite' driver
3.12
* cache() method introduced, which is normally used by library drivers to
cache certain value within the single process
* Apache::Session-like tie interface supported (EXPERIMENTAL!)
* trace() and tracemsg() methods added for debugging purposes
3.8
* Abbreviations in DSN parameters are supported via Text::Abbrev.
* Automatic api3 detection makes "-api3" switch obsolete
* Experimental "-frozen" switch added, but not yet functional.
* sync_param() utility function added
* header() replacement to CGI::header() added, which outputs
proper HTTP headers with session information
* Private data records have been documented.
* Bug in clear() kept failing if passed no arguments to be cleared.
3.x
* Ability to choose between serializers, drivers and id generators
while creating the session object. Supported via '-api3' switch.
* New serializers added: Storable, FreezeThaw in addition to Default.
* New ID generator added: Incr, which generates auto incrementing
id numbers, in addition to MD5
* "-ip_match" switch enabled for additional security
* Expire() method is fully functional
* Ability to expire certain session parameters
* Better documented drivers specifications
* Main documentation is split into two:
1) CGI::Session and 2) CGI::Session::Tutorial
* Bug in POD documentation is fixed (thanks to Graham Barr)
$Id: /mirror/cgi-session/trunk/Changes 362 2006-06-11T17:02:41.852663Z markstos $