8.1.0

Release Notes for 8.1.0

8.1.0

• Total issues resolved: 0
• Total pull requests resolved: 7
• Total contributors: 4

dependencies,enhancement

• 182: Support PHP 8.1, Drop PHP 7 support, set up Dependabot and CI automation thanks to @Ocramius

dependencies

• 180: Bump infection/infection from 0.21.0 to 0.24.0 thanks to @dependabot-preview[bot]
• 177: Bump psalm/plugin-phpunit from 0.15.2 to 0.16.1 thanks to @dependabot-preview[bot]
• 170: Bump composer/composer from 1.10.20 to 1.10.22 in /tools thanks to @dependabot[bot]
• 168: Bump doctrine/coding-standard from 8.2.0 to 9.0.0 thanks to @dependabot-preview[bot]
• 160: Upgrade to GitHub-native Dependabot thanks to @dependabot-preview[bot]

enhancement

• 159: Local dev: hint when it's not necessary thanks to @Slamdunk

8.0.0

Release 8.0.0

This is a major release and breaks backwards compatibility.

Specifically, following changes are relevant:

[BC] REMOVED: Constant PSR7Sessions\Storageless\Http\SessionMiddleware::ISSUED_AT_CLAIM was removed
[BC] REMOVED: Method PSR7Sessions\Storageless\Http\SessionMiddleware::fromAsymmetricKeyDefaults() was removed
[BC] CHANGED: The parameter $signer of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from Lcobucci\JWT\Signer to a non-contravariant Lcobucci\JWT\Configuration
[BC] CHANGED: The parameter $signatureKey of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from string to a non-contravariant Dflydev\FigCookies\SetCookie
[BC] CHANGED: The parameter $verificationKey of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from string to a non-contravariant int
[BC] CHANGED: The parameter $defaultCookie of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from Dflydev\FigCookies\SetCookie to a non-contravariant Lcobucci\Clock\Clock
[BC] CHANGED: The parameter $tokenParser of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from Lcobucci\JWT\Parser to a non-contravariant int
[BC] CHANGED: The parameter $symmetricKey of PSR7Sessions\Storageless\Http\SessionMiddleware::fromSymmetricKeyDefaults() changed from string to a non-contravariant Lcobucci\JWT\Signer\Key

8.0.0

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 2

dependencies

• 154: Bump dflydev/fig-cookies from 2.0.1 to 3.0.0 thanks to @dependabot-preview[bot]

BC break,dependencies,enhancement

• 146: Update lcobucci/jwt requirement to ^4.1 thanks to @Slamdunk

7.3.0

Release 7.3.0

7.3.0

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 2

bug,enhancement

• 152: Backport jwt:4 adaptations and plus operator over numeric-key arrays bugfix thanks to @Slamdunk

documentation,enhancement

• 150: Document usage in local develoment environment where HTTPS is not available (plain HTTP only) thanks to @mnapoli

7.2.0

Release 7.2.0

7.2.0

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

dependencies,enhancement

• 138: Update lcobucci/clock requirement from ^1.3.0 to ^2.0.0 thanks to @Slamdunk

7.1.0

Release 7.1.0

7.1.0

• Total issues resolved: 1
• Total pull requests resolved: 7
• Total contributors: 2

dependencies,enhancement

• 136: Configure automatic releases secrets thanks to @Ocramius
• 134: Github actions, dependency upgrades, switching to psalm with totallyTyped="true" thanks to @Ocramius

dependencies,duplicate

• 133: Update laminas/laminas-diactoros requirement from ^2.2.3 to ^2.3.1 thanks to @dependabot-preview[bot]
• 132: Update phpunit/phpunit requirement from ^9.0.2 to ^9.2.6 thanks to @dependabot-preview[bot]
• 130: Update laminas/laminas-httphandlerrunner requirement from ^1.1.0 to ^1.2.0 thanks to @dependabot-preview[bot]
• 129: Update infection/infection requirement from ^0.16.1 to ^0.16.4 thanks to @dependabot-preview[bot]
• 126: Update lcobucci/jwt requirement from ^3.3.1 to ^3.3.2 thanks to @dependabot-preview[bot]
• 122: Update squizlabs/php_codesniffer requirement from ^3.5.4 to ^3.5.5 thanks to @dependabot-preview[bot]

7.0.0

This release renames the default session cookie to add a __Secure- prefix, which, in compliant user agents, means that the cookie will be rejected when used in insecure contexts (such as HTTPS to HTTP downgrade).

This change is a major BC break, since upgrading the library will now lead to active sessions being dropped when deploying an application with this new version.

References:

• https://scotthelme.co.uk/tough-cookies/
• https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00

Total issues resolved: 3

• 115: Update infection/infection requirement from ^0.15.3 to ^0.16.1 thanks to @dependabot-preview[bot]
• 118: Limitations: pinpoint how to invalidate all active sessions thanks to @Slamdunk
• 119: Set "__Secure-" Cookie Prefix by default thanks to @Slamdunk

6.0.0

This release migrates the library from zendframework/* components
to mezzio/* and laminas/* components.

Since the inherited symbols changed namespace completely, this had
to be done in a new major release.

Total issues resolved: 24

• 90: Update infection/infection requirement from ^0.13.4 to ^0.13.6 thanks to @dependabot-preview[bot]
• 91: Update phpunit/phpunit requirement from ^8.3.3 to ^8.3.4 thanks to @dependabot-preview[bot]
• 92: Update phpstan/phpstan requirement from ^0.11.12 to ^0.11.15 thanks to @dependabot-preview[bot]
• 93: Update squizlabs/php_codesniffer requirement from ^3.4.2 to ^3.5.0 thanks to @dependabot-preview[bot]
• 94: Update phpunit/phpunit requirement from ^8.3.4 to ^8.3.5 thanks to @dependabot-preview[bot]
• 95: Update phpstan/phpstan requirement from ^0.11.15 to ^0.11.16 thanks to @dependabot-preview[bot]
• 96: Update squizlabs/php_codesniffer requirement from ^3.4.2 to ^3.5.2 thanks to @dependabot-preview[bot]
• 97: Update phpunit/phpunit requirement from ^8.3.4 to ^8.4.3 thanks to @dependabot-preview[bot]
• 98: Update zendframework/zend-diactoros requirement from ^2.1.3 to ^2.2.1 thanks to @dependabot-preview[bot]
• 99: Update phpstan/phpstan requirement from ^0.11.15 to ^0.11.19 thanks to @dependabot-preview[bot]
• 100: Update squizlabs/php_codesniffer requirement from ^3.4.2 to ^3.5.3 thanks to @dependabot-preview[bot]
• 101: Update doctrine/coding-standard requirement from ^6.0.0 to ^7.0.2 thanks to @dependabot-preview[bot]
• 102: Update phpunit/phpunit requirement from ^8.3.4 to ^8.5.1 thanks to @dependabot-preview[bot]
• 103: Update phpunit/phpunit requirement from ^8.3.4 to ^8.5.2 thanks to @dependabot-preview[bot]
• 104: Replace zendframework/ with laminas/ thanks to @Ocramius
• 105: Run coverage when on PHP 7.4 thanks to @Ocramius
• 106: Run scrutinizer-ci with PHP 7.4.0 thanks to @Ocramius
• 108: Update infection/infection requirement from ^0.13.6 to ^0.15.0 thanks to @dependabot-preview[bot]
• 109: Update squizlabs/php_codesniffer requirement from ^3.5.3 to ^3.5.4 thanks to @dependabot-preview[bot]
• 110: Update dflydev/fig-cookies requirement from ^2.0.0 to ^2.0.1 thanks to @dependabot-preview[bot]
• 111: Update infection/infection requirement from ^0.13.6 to ^0.15.3 thanks to @dependabot-preview[bot]
• 112: Update lcobucci/clock requirement from ^1.2.0 to ^1.3.0 thanks to @dependabot-preview[bot]
• 113: Fix #104: upgraded from zendframework/* to mezzio/* and laminas/* components thanks to @Ocramius
• 114: Update phpunit/phpunit requirement from ^8.5.2 to ^9.0.1 thanks to @dependabot-preview[bot]

5.1.0

This release upgrades the codebase to latest dependencies, introducing
testing for PHP 7.3, and hardening the test suite and code style.

Total issues resolved: 8

• 81: Upgrade to infection/infection 0.10 thanks to @Ocramius
• 83: Update squizlabs/php_codesniffer requirement from ^3.3.1 to ^3.4.2 thanks to @dependabot-preview[bot]
• 84: Update phpunit/phpunit requirement from ^7.3.1 to ^8.3.3 thanks to @dependabot-preview[bot]
• 85: Update psr/http-server-handler requirement from ^1.0.0 to ^1.0.1 thanks to @dependabot-preview[bot]
• 86: Update lcobucci/jwt requirement from ^3.2.4 to ^3.3.1 thanks to @dependabot-preview[bot]
• 87: Update psr/http-server-middleware requirement from ^1.0.0 to ^1.0.1 thanks to @dependabot-preview[bot]
• 88: Upgraded to doctrine/coding-standard 6.0 thanks to @Ocramius
• 89: Test against PHP 7.3, skip PHP nightly thanks to @Ocramius

5.0.0

This release improves the security of the library by preventing most session-related
CSRF attacks on unsafe HTTP methods (such as POST, PUT, etc.) by introducing a
SameSite=Lax cookie policy when using the PSR7Sessions\Storageless\Http\SessionMiddleware
defaults.

The addition of SameSite=Lax counts as a BC break, since cross-domain POST requests will no
longer transmit the session cookie: if you rely on that, be sure to customise the
SessionMiddleware constructor parameters with your own cookie blueprint.

In addition to these changes, following has been introduced:

• The minimum supported PHP version is now 7.2.0
• Static analysis was added to the build pipeline
• Test suite and mutation test suite were upgraded

4.0.0

This release aligns the PSR7Sessions\Storageless\Http\SessionMiddleware to
the PSR-15 php-fig/http-server-middleware
specification.

This means that the signature of PSR7Sessions\Storageless\Http\SessionMiddleware
changed, and therefore you need to look for usages of this class and verify
if the new signature is compatible with your API

Specifically, PSR7Sessions\Storageless\Http\SessionMiddleware#__invoke()
was removed.