Changelog
=========

3.0 - 2010-07-18
----------------

- Update package metadata.
  [hannosch]

3.0b5 - 2010-06-13
------------------

- Make sure to load the right meta ZCML.
  [hannosch]

- Avoid deprecation warnings under Zope 2.13.
  [hannosch]

- Removed dependency on GPL licensed Products.PloneTestCase.
  [hannosch]

3.0b4 - 2010-05-23
------------------

- Make the ``secure`` option of cookies configurable. This allows to restrict
  cookies to HTTPS connections alone. This closes
  http://dev.plone.org/plone/ticket/7897.
  [pfurman, hannosch]

- Use the standard libraries doctest module, instead of the deprecated one
  from zope.testing.
  [hannosch]

- Marked the session cookie as ``HTTPOnly``.
  [hannosch]

- PEP8 cleanup.
  [hannosch]

- Relicense as BSD following PF Board decision.
  http://lists.plone.org/pipermail/membership/2010-April/001123.html
  [elro]

3.0b3 - 2010-04-09
------------------

- Example IIS login form and documentation. This builds on work by Hanno and I
  at Jarn for Centrepoint.
  [elro]

- Support authentication by an external form, perhaps one running on an IIS
  server with Integrated Windows Authentication.
  [elro]

3.0b2 - 2010-03-09
------------------

- Prefix setupSession with underscore, the method should be unavailable TTW.
  [elro]

- Catch a ComponentLookupError in authenticateCredentials.
  [elro]

3.0b1 - 2010-03-05
------------------

- Add back the hash management UI with added functionality to set shared
  secret.
  [elro]

- Add properties for cookie domain and ticket validity timeout.
  [elro]

- Use mod_auth_tkt format cookies to give us a session validity timeout.
  By default we use a more secure HMAC SHA-256 hashing scheme. An MD5 based
  scheme compatible with other mod_auth_tkt implementations is optional.
  [elro]

- Remove the source component indirection.
  [elro]

3.0a2 - 2009-11-13
------------------

- Remove hash management UI which had been accidentally re-merged.
  [davisagli]

3.0a1 - 2009-04-04
------------------

- Avoid deprecation warning for the sha module in Python 2.6.
  [hannosch]

- Declare test dependencies in an extra.
  [hannosch]

- Specify package dependencies.
  [hannosch]

- Fixed the remaining tests to work with the new keyring backend.
  [hannosch]

- Fixed a component lookup call in the HashSession source.
  [davisagli, hannosch]

- Update default (hash) session source to use plone.keyring to manage
  the secrets.
  [wichert]

2.1 - 2009-02-04
----------------

- Protect the setupSession call with the ManageUsers permission.
  Fixes possible privilege escalation.
  [maurits]

- Make the cookie lifetime configurable. Patch by Rok Garbas. Fixes
  http://dev.plone.org/plone/ticket/7248
  [wichert, garbas]

2.0 - 2008-07-08
----------------

- Fix CSRF protection for managing server secrets via the Plone session
  plugin for PAS. Fixes http://dev.plone.org/plone/ticket/8176
  [witsch]

1.2 - 2007-02-15
----------------

- Use the binascii base64 methods to encode/decode the session cookie. This
  prevents newlines being inserted in long cookies.
  [wichert]

1.1 - 2007-09-11
----------------

- Use the userid instead of the login name in session identifiers. This
  has the side-effect of working around a bug in PAS which caused us to
  mix up users when the login name used was an inexact match for another
  login name.
  [wichert]

1.0 - 2007-08-15
----------------

- First stable release
  [wichert]
