Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use at most one valid session cookie per request #1581

Merged
merged 1 commit into from
Feb 11, 2019
Merged

Use at most one valid session cookie per request #1581

merged 1 commit into from
Feb 11, 2019

Conversation

nytopop
Copy link
Contributor

@nytopop nytopop commented Feb 10, 2019
edited
Loading

Makes loadClientSession ignore all sessions in a request if more than a single session cookie decodes successfully. The prior behavior was to merge all valid session cookies' values.

Bumps version to 1.6.11.1.

Not sure if this counts as a bugfix or breaking change that would require 1.7.

Closes #994, I figured after 3 years it's probably fair game 馃檪. Feel free to close if you don't think this change is warranted anymore.

Before submitting your PR, check that you've:

  • Bumped the version number

After submitting your PR:

  • Update the Changelog.md file with a link to your PR
  • Check that CI passes (or if it fails, for reasons unrelated to your change, like CI timeouts)

snoyberg
snoyberg requested changes Feb 10, 2019
View reviewed changes
Copy link
Member

@snoyberg snoyberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment on the version number, otherwise LGTM. Thanks!

yesod-core/yesod-core.cabal Outdated
@@ -1,5 +1,5 @@
name: yesod-core
version: 1.6.11
version: 1.6.11.1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a minor version bump, to 1.6.12, since it does affect behavior.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed 馃憤 and rebased to fix the commit message.

@nytopop
Use at most one valid session cookie per request
70b730c 
Makes `loadClientSession` ignore all sessions in a request if more than
a single session cookie decodes successfully. The prior behavior was to
merge all valid session cookies' values.

Bumps version to 1.6.12
@snoyberg snoyberg merged commit 90fa4d9 into yesodweb:master Feb 11, 2019
@snoyberg
Copy link
Member

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snoyberg snoyberg snoyberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Possible minor security issue with client session handling
2 participants
@nytopop @snoyberg