Contents

= Improvements

* HttpOnly is now set by default on the remember cookie, so it is no
  longer accessible from Javascript.  This is a more secure approach
  that makes applications using Rodauth's remember feature less
  vulnerable in case they are subject to a separate XSS attack.

* When using the jwt feature, rodauth.clear_session now clears the
  JWT session even when the Roda sessions plugin was in use.  In most
  cases, the jwt feature is not used with the Roda sessions plugin,
  but in cases where the same application serves as both an JSON API
  and as a HTML site, it is possible the two may be used together.

= Backwards Compatibility

* As the default remember cookie :httponly setting is now set to true,
  applications using Rodauth that expected to be able to access the
  remember cookie from Javascript will no longer work by default.
  In these cases, you should now use remember_cookie_options and
  include a :httponly=>false option.

Version data entries

29 entries across 29 versions & 1 rubygems

Version	Path
rodauth-2.36.0	doc/release_notes/2.8.0.txt
rodauth-2.34.0	doc/release_notes/2.8.0.txt
rodauth-2.33.0	doc/release_notes/2.8.0.txt
rodauth-2.32.0	doc/release_notes/2.8.0.txt
rodauth-2.31.0	doc/release_notes/2.8.0.txt
rodauth-2.30.0	doc/release_notes/2.8.0.txt
rodauth-2.29.0	doc/release_notes/2.8.0.txt
rodauth-2.28.0	doc/release_notes/2.8.0.txt
rodauth-2.27.0	doc/release_notes/2.8.0.txt
rodauth-2.26.1	doc/release_notes/2.8.0.txt
rodauth-2.26.0	doc/release_notes/2.8.0.txt
rodauth-2.25.0	doc/release_notes/2.8.0.txt
rodauth-2.24.0	doc/release_notes/2.8.0.txt
rodauth-2.23.0	doc/release_notes/2.8.0.txt
rodauth-2.22.0	doc/release_notes/2.8.0.txt
rodauth-2.21.0	doc/release_notes/2.8.0.txt
rodauth-2.20.0	doc/release_notes/2.8.0.txt
rodauth-2.19.0	doc/release_notes/2.8.0.txt
rodauth-2.18.0	doc/release_notes/2.8.0.txt
rodauth-2.17.0	doc/release_notes/2.8.0.txt