Skip to content

Releases: gorilla/sessions

v1.2.1 ✏️

61fa50d
Compare
Choose a tag to compare

A minor maintenance release that improves documentation and two new third-party store implementations.

CHANGELOG

v1.2.0 💾

4355a99
Compare
Choose a tag to compare

This release removes gorilla/context as a dependency. sessions now requires Go 1.7 or greater (released August, 2016), which provides a first-class request context for sessions and reduces user-facing complexity.

CHANGELOG

Bug Fix: SameSite

Compare
Choose a tag to compare

This release fixes an oversight in how cookie options were copied internally, impacting SameSite cookie settings.

CHANGELOG

  • [docs] Improve advice around key generation & usage. (#168) @elithrar
  • Set http.Cookie's SameSite field in NewCookie for Go 1.11 or later (#170) @nwidger

v1.1.2 - SameSite Cookie Support

8154739
Compare
Choose a tag to compare

gorilla/sessions now supports the SameSite cookie attribute added in Go 1.11.

Cookies with this set (in Strict mode, preferably) are only sent on requests originating from the same origin at as the cookie domain, rather than for all requests to that domain no matter the origin.

You can set SameSite on a session by setting session.Options.SameSite to a valid value:

func MyHandler(w http.ResponseWriter, r *http.Request) {
	session, err := store.Get(r, "session-name")
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	// Set the SameSite mode via one of the typed constants described
	// at https://golang.org/pkg/net/http/#SameSite
	session.Options = &sessions.Options{SameSite: http.SameSiteStrictMode}

	if err := session.Save(r, w); err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}
}

You can read more about the SameSite attribute on Mozilla's blog, or inthe RFC itself.

CHANGELOG

v1.1.1

Compare
Choose a tag to compare

Versioning v1.1.1 to correctly comply with SemVer.

CHANGELOG
03b6f63 Add AUTHORS file; update LICENSE (#158)
9ee0d62 [build] Update deps to correct SemVer tags (#153)
a2f2a3d replacing travis badge with scaling svg (#147)
92b749d Add link to XORM store implementation (#149)
7910f5b Added description about Max-Age field in Options (#148)
7087b4d Add go.mod file for vgo dependency management. (#145)
6ba88b7 Prevent panic in NewSession function (#140)
41ee504 Add link to memstore implementation (#143)
fe21b6a Update doc.go (#127)
a3acf13 Add missing error check (#123)

v1.1

Compare
Choose a tag to compare
  • gorilla/sessions has long needed an official release (although, strict version tags were less useful prior to vendoring tools)
  • This version is the last version that supports gorilla/context going forward due to the incompability between its global map of *http.Requests and Go 1.7's new http.Request.WithContext(). The shallow copy of the request changes the address, causing gorilla/context's map to point to the old request.