Sessions Versions Save

A minor maintenance release that improves documentation and two new third-party store implementations.

CHANGELOG

• Fix typo in README example (#223) @Coteh
• Add link to implementation for CockroachDB (#219) @stephenafamo
• fix CookieStore creation in doc.go (#206) @collinewait
• Add Redis store implementation (#202) @rbcervilla
• README.md: link Cloud Firestore implementation (#201) @tbpg
• Added _ = to indicate there is a return from Save (#197) @adamjack
• Removed unused global var (#199) @muesli

This release removes gorilla/context as a dependency. sessions now requires Go 1.7 or greater (released August, 2016), which provides a first-class request context for sessions and reduces user-facing complexity.

CHANGELOG

• Update go.mod: removes gorilla/context (#196) @elithrar
• Create config.yml (#195) @elithrar
• merge Commits on Dec 09, 2018 (#1) @liu-xuewen
• • use golang context pkg instead of gorilla/context to fix memory leaks (#175) @secracon
• Update and rename stale to stale.yml (#177) @elithrar
• Add stalebot config (#176) @elithrar
• README: convert key to bytes before passing to NewCookieStore (#174) @nikhita
• Run go mod tidy (#171) @keegancsmith

This release fixes an oversight in how cookie options were copied internally, impacting SameSite cookie settings.

CHANGELOG

• [docs] Improve advice around key generation & usage. (#168) @elithrar
• Set http.Cookie's SameSite field in NewCookie for Go 1.11 or later (#170) @nwidger

gorilla/sessions now supports the SameSite cookie attribute added in Go 1.11.

Cookies with this set (in Strict mode, preferably) are only sent on requests originating from the same origin at as the cookie domain, rather than for all requests to that domain no matter the origin.

You can set SameSite on a session by setting session.Options.SameSite to a valid value:

func MyHandler(w http.ResponseWriter, r *http.Request) {
	session, err := store.Get(r, "session-name")
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	// Set the SameSite mode via one of the typed constants described
	// at https://golang.org/pkg/net/http/#SameSite
	session.Options = &sessions.Options{SameSite: http.SameSiteStrictMode}

	if err := session.Save(r, w); err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}
}

You can read more about the SameSite attribute on Mozilla's blog, or inthe RFC itself.

CHANGELOG

• Create release-drafter.yml (#166) @elithrar
• Update Travis CI to build against the latest Go (#167) @elithrar
• Adds support for SameSite cookie attribute (#165) @elithrar

Versioning v1.1.1 to correctly comply with SemVer.

CHANGELOG 03b6f63 Add AUTHORS file; update LICENSE (#158) 9ee0d62 [build] Update deps to correct SemVer tags (#153) a2f2a3d replacing travis badge with scaling svg (#147) 92b749d Add link to XORM store implementation (#149) 7910f5b Added description about Max-Age field in Options (#148) 7087b4d Add go.mod file for vgo dependency management. (#145) 6ba88b7 Prevent panic in NewSession function (#140) 41ee504 Add link to memstore implementation (#143) fe21b6a Update doc.go (#127) a3acf13 Add missing error check (#123)

• gorilla/sessions has long needed an official release (although, strict version tags were less useful prior to vendoring tools)
• This version is the last version that supports gorilla/context going forward due to the incompability between its global map of *http.Requests and Go 1.7's new http.Request.WithContext(). The shallow copy of the request changes the address, causing gorilla/context's map to point to the old request.