Breaking changes:
- add item here
New features:
- add item here
Bug fixes:
- add item here
Bug fixes:
- Hide uninstall profile in install listings. [jensens]
New:
- Added uninstall profile. [maurits]
- Cleanup: Pep8, plone style conventions, better readbility. [jensens]
- Default encoding for createTicket to be compatible with unicode user_id [puittenbroek]
- Move tests from PloneTestCase to plone.app.testing. [tomgross]
- Revert accidental change to default encoding for validateTicket. [davisagli]
- Use constant time comparison when validating tickets. This is part of the fix for https://plone.org/products/plone/security/advisories/20121106/23 [davisagli]
- Handle encoded strings for userids. [elro]
- Add MANIFEST.in. [WouterVH]
- Fix for Python 2.4 under 64bit Mac OS generating incorrect mod_auth_tkt digests [MatthewWilkes]
- Disable secure cookie in development mode, to ease local testing. [hannosch]
- Added metadata.xml to the default profile. [vincentfretin]
- Update login.asp to match Plone 4.1 SSO login form functionality. [elro]
- Fix remove. [elro]
- Remove
external_login
method, the normallogged_in
script can be used instead. [elro] - Fix refresh. [elro]
- Remove
SessionPlugin.validate(ticket)
method, it was not required. [elro]
- Session refresh. [elro]
SessionPlugin.validate(ticket)
method. [elro]- Close <input> tags properly (chameleon compatibility) [swampmonkey]
- Update package metadata. [hannosch]
- Make sure to load the right meta ZCML. [hannosch]
- Avoid deprecation warnings under Zope 2.13. [hannosch]
- Removed dependency on GPL licensed Products.PloneTestCase. [hannosch]
- Make the
secure
option of cookies configurable. This allows to restrict cookies to HTTPS connections alone. This closes http://dev.plone.org/plone/ticket/7897. [pfurman, hannosch] - Use the standard libraries doctest module, instead of the deprecated one from zope.testing. [hannosch]
- Marked the session cookie as
HTTPOnly
. [hannosch] - PEP8 cleanup. [hannosch]
- Relicense as BSD following PF Board decision. http://lists.plone.org/pipermail/membership/2010-April/001123.html [elro]
- Example IIS login form and documentation. This builds on work by Hanno and I at Jarn for Centrepoint. [elro]
- Support authentication by an external form, perhaps one running on an IIS server with Integrated Windows Authentication. [elro]
- Prefix setupSession with underscore, the method should be unavailable TTW. [elro]
- Catch a ComponentLookupError in authenticateCredentials. [elro]
- Add back the hash management UI with added functionality to set shared secret. [elro]
- Add properties for cookie domain and ticket validity timeout. [elro]
- Use mod_auth_tkt format cookies to give us a session validity timeout. By default we use a more secure HMAC SHA-256 hashing scheme. An MD5 based scheme compatible with other mod_auth_tkt implementations is optional. [elro]
- Remove the source component indirection. [elro]
- Remove hash management UI which had been accidentally re-merged. [davisagli]
- Avoid deprecation warning for the sha module in Python 2.6. [hannosch]
- Declare test dependencies in an extra. [hannosch]
- Specify package dependencies. [hannosch]
- Fixed the remaining tests to work with the new keyring backend. [hannosch]
- Fixed a component lookup call in the HashSession source. [davisagli, hannosch]
- Update default (hash) session source to use plone.keyring to manage the secrets. [wichert]
- Protect the setupSession call with the ManageUsers permission. Fixes possible privilege escalation. [maurits]
- Make the cookie lifetime configurable. Patch by Rok Garbas. Fixes http://dev.plone.org/plone/ticket/7248 [wichert, garbas]
- Fix CSRF protection for managing server secrets via the Plone session plugin for PAS. Fixes http://dev.plone.org/plone/ticket/8176 [witsch]
- Use the binascii base64 methods to encode/decode the session cookie. This prevents newlines being inserted in long cookies. [wichert]
- Use the userid instead of the login name in session identifiers. This has the side-effect of working around a bug in PAS which caused us to mix up users when the login name used was an inexact match for another login name. [wichert]
- First stable release [wichert]