-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
50 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,58 @@ | ||
| # Change Log | ||
|
|
||
| ## 2016-08-14 | ||
| See https://github.com/slimphp/Slim-Csrf/releases for a full list | ||
|
|
||
| Now supports "persistence mode", to persist a single CSRF name/value pair throughout the life of a user's session. Added the following methods: | ||
| ## 1.4.0 | ||
|
|
||
| - `protected getLastKeyPair` - gets the most recently generated key/value pair from storage. | ||
| - `protected loadLastKeyPair` - gets the most recently generated key/value pair from storage, and assign it to `$this->keyPair`. | ||
| - `public setPersistentTokenMode` | ||
| - `public getPersistentTokenMode` | ||
| - Added: Allow to set token name and value in header | ||
|
|
||
| Note that if CSRF token validation fails, then the token should be renewed regardless of the persistence setting. | ||
| ## 1.3.0 | ||
|
|
||
| The methods `getTokenName` and `getTokenValue` now return `null` if `$this->keyPair` has not yet been set. | ||
| - Added: Support for PSR-12 | ||
| - Added: Add XOR to token to avoid BREACH attack | ||
| - Change: PHP 7.3 is no longer supported | ||
|
|
||
| ### Tests added: | ||
| ## 1.2.1 | ||
|
|
||
| - Added: Implement iterator support for getLastKeyPair | ||
|
|
||
| ## 1.2.0 | ||
|
|
||
| - Added: Support PHP 8 | ||
| - Changed: Remove support for PHP 7.1 and 7.2 | ||
|
|
||
| ## 1.1.0 | ||
|
|
||
| - Changed: `remoteTokenFromStorage()` is now public | ||
| - Changed: Don't allow token in the body of a GET request | ||
| - Fixed: Prevent replay attack by removing token on valdiation | ||
|
|
||
| ## 1.0.0 | ||
|
|
||
| - Added: PSR-15 support | ||
|
|
||
| ## 0.8.3 | ||
|
|
||
| - Fixed: Widen random_compat constraint in composer.json | ||
|
|
||
| ## 0.8.2 | ||
|
|
||
| - Fixed: Attach token name and value to request when persist mode is on | ||
|
|
||
| ## 0.8.1 | ||
|
|
||
| - Fixed: Default stroageis now $_SESSION again | ||
|
|
||
| ## 0.8.0 | ||
|
|
||
| - Added: Now supports "persistence mode", to persist a single CSRF name/value pair throughout the life of a user's session. Added the following methods: | ||
|
|
||
| - `protected getLastKeyPair` - gets the most recently generated key/value pair from storage. | ||
| - `protected loadLastKeyPair` - gets the most recently generated key/value pair from storage, and assign it to `$this->keyPair`. | ||
| - `public setPersistentTokenMode` | ||
| - `public getPersistentTokenMode` | ||
|
|
||
| Note that if CSRF token validation fails, then the token should be renewed regardless of the persistence setting. | ||
|
|
||
| The methods `getTokenName` and `getTokenValue` now return `null` if `$this->keyPair` has not yet been set. | ||
|
|
||
| - `testPersistenceModeTrueBetweenRequestsArray` - Token should persist between requests after initial creation, when stored in an array. | ||
| - `testPersistenceModeTrueBetweenRequestsArrayAccess` - Token should persist between requests after initial creation, when stored in an ArrayObject. | ||
| - `testPersistenceModeFalseBetweenRequestsArray` - Token should be changed between requests, when stored in an array. | ||
| - `testPersistenceModeFalseBetweenRequestsArrayAccess` - Token should be changed between requests, when stored in an ArrayObject. | ||
| - `testUpdateAfterInvalidTokenWithPersistenceModeTrue` - New token should be generated after an invalid request, even if persistence mode is enabled. |