From 41bbb211c7f17fe297ee3ca0c6c7cc7152788589 Mon Sep 17 00:00:00 2001 From: Garion Herman Date: Thu, 4 Jul 2024 10:08:20 +0900 Subject: [PATCH] DOC Add autologin token regeneration changes to 5.3 changelog --- en/08_Changelogs/5.3.0.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/en/08_Changelogs/5.3.0.md b/en/08_Changelogs/5.3.0.md index 67ad84290..c5d38cd2a 100644 --- a/en/08_Changelogs/5.3.0.md +++ b/en/08_Changelogs/5.3.0.md @@ -12,6 +12,7 @@ title: 5.3.0 (unreleased) - [Validation for elemental content blocks when saving individual blocks](#elemental-validation) - [Define scaffolded form fields for relations to `DataObject` models](#scaffolded-relation-formfields) - [Support for `JOIN` in SQL `UPDATE`](#sql-update-join) + - [Autologin token regeneration changes](#autologin-token-regeneration) - [Other new features](#other-new-features) - [API changes](#api-changes) - [Bug fixes](#bug-fixes) @@ -109,6 +110,21 @@ The [`SQLUpdate`](api:SilverStripe\ORM\Queries\SQLUpdate) class now supports all This is particularly helpful if you need to update columns in one table to match values from another table. +### Autologin token regeneration changes {#autologin-token-regeneration} + +The Autologin ('remember me') feature stores cookies in the user's browser to allow recreation of their session when it expires. Currently, one of the cookies is regenerated whenever a user's session is recreated. This can cause unexpected logouts in certain situations, and has minimal value from a security standpoint. + +In 5.3, the current behaviour is retained, but can be disabled via configuration: + +```yml +SilverStripe\Security\RememberLoginHash: + replace_token_during_session_renewal: false +``` + +This will cause the token to be generated once during login, and not be regenerated during session renewal. + +From 6.0 onwards, tokens will never be regenerated during session renewal, and this configuration will be removed. + ### Other new features - `silverstripe/linkfield` now has improved accessibility support for screen readers and keyboard navigation. Focus states have also been made consistent between keyboard and mouse interaction. @@ -120,6 +136,9 @@ This is particularly helpful if you need to update columns in one table to match - Passing a non-array `$fields` argument to both [`FieldList::addFieldsToTab()`](api:SilverStripe\Forms\FieldList::addFieldsToTab()) and [`FieldList::removeFieldsFromTab()`](api:SilverStripe\Forms\FieldList::removeFieldsFromTab()) has been deprecated. - The [`BaseElement::getDescription()`](api:DNADesign\Elemental\Models\BaseElement::getDescription()) method has been deprecated. To update the description of elemental blocks, use the [`description`](api:DNADesign\Elemental\Models\BaseElement->description) configuration property and the localisation API. +- The [`RememberLoginHash::renew()`](api:SilverStripe\Security\RememberLoginHash::renew()) method has been deprecated without replacement, since the associated behaviour will be removed in 6.0. + - The `onAfterRenewToken` extension point within this method will likely be replaced with a new extension point in 6.0. +- The [`RememberLoginHash.replace_token_during_session_renewal`](api:SilverStripe\Security\RememberLoginHash->replace_token_during_session_renewal) configuration property has been added to allow disabling token regeneration during session renewal. This property will be removed in 6.0. ## Bug fixes