Release v1.2.2

What's Changed

• build: use build matrix; drop Go <= 1.10 by @elithrar in #230
• refactor: use base32 encoder with no padding by @leungyauming in #240
• docs: Add new TiKV store to README by @ryicoh in #245
• Fix linting errors for go1.17 by @mariusor in #253
• Update README.md by @coreydaley in #261
• Update go version, add tools for verification and testing by @coreydaley in #263
• Update LICENSE by @coreydaley in #264
• Add gorilla logo to Readme by @apoorvajagtap in #265
• Update issues.yml by @coreydaley in #266
• Don't propagate "not exist" error if trying to erase a session matchi… by @mariusor in #252
• update GitHub workflows by @coreydaley in #268
• bump deps and add vendor dir by @coreydaley in #269

New Contributors

• @leungyauming made their first contribution in #240
• @ryicoh made their first contribution in #245
• @mariusor made their first contribution in #253
• @coreydaley made their first contribution in #261
• @apoorvajagtap made their first contribution in #265

Full Changelog: v1.2.1...v1.2.2

v1.2.1 ✏️

A minor maintenance release that improves documentation and two new third-party store implementations.

CHANGELOG

• Fix typo in README example (#223) @Coteh
• Add link to implementation for CockroachDB (#219) @stephenafamo
• fix CookieStore creation in doc.go (#206) @collinewait
• Add Redis store implementation (#202) @rbcervilla
• README.md: link Cloud Firestore implementation (#201) @tbpg
• Added _ = to indicate there is a return from Save (#197) @adamjack
• Removed unused global var (#199) @muesli

v1.2.0 💾

This release removes gorilla/context as a dependency. sessions now requires Go 1.7 or greater (released August, 2016), which provides a first-class request context for sessions and reduces user-facing complexity.

CHANGELOG

• Update go.mod: removes gorilla/context (#196) @elithrar
• Create config.yml (#195) @elithrar
• merge Commits on Dec 09, 2018 (#1) @liu-xuewen
• • use golang context pkg instead of gorilla/context to fix memory leaks (#175) @secracon
• Update and rename stale to stale.yml (#177) @elithrar
• Add stalebot config (#176) @elithrar
• README: convert key to bytes before passing to NewCookieStore (#174) @nikhita
• Run go mod tidy (#171) @keegancsmith

Bug Fix: SameSite

This release fixes an oversight in how cookie options were copied internally, impacting SameSite cookie settings.

CHANGELOG

• [docs] Improve advice around key generation & usage. (#168) @elithrar
• Set http.Cookie's SameSite field in NewCookie for Go 1.11 or later (#170) @nwidger

v1.1.2 - SameSite Cookie Support

gorilla/sessions now supports the SameSite cookie attribute added in Go 1.11.

Cookies with this set (in Strict mode, preferably) are only sent on requests originating from the same origin at as the cookie domain, rather than for all requests to that domain no matter the origin.

You can set SameSite on a session by setting session.Options.SameSite to a valid value:

func MyHandler(w http.ResponseWriter, r *http.Request) {
	session, err := store.Get(r, "session-name")
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	// Set the SameSite mode via one of the typed constants described
	// at https://golang.org/pkg/net/http/#SameSite
	session.Options = &sessions.Options{SameSite: http.SameSiteStrictMode}

	if err := session.Save(r, w); err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}
}

You can read more about the SameSite attribute on Mozilla's blog, or inthe RFC itself.

CHANGELOG

• Create release-drafter.yml (#166) @elithrar
• Update Travis CI to build against the latest Go (#167) @elithrar
• Adds support for SameSite cookie attribute (#165) @elithrar

v1.1.1

Versioning v1.1.1 to correctly comply with SemVer.

CHANGELOG
03b6f63 Add AUTHORS file; update LICENSE (#158)
9ee0d62 [build] Update deps to correct SemVer tags (#153)
a2f2a3d replacing travis badge with scaling svg (#147)
92b749d Add link to XORM store implementation (#149)
7910f5b Added description about Max-Age field in Options (#148)
7087b4d Add go.mod file for vgo dependency management. (#145)
6ba88b7 Prevent panic in NewSession function (#140)
41ee504 Add link to memstore implementation (#143)
fe21b6a Update doc.go (#127)
a3acf13 Add missing error check (#123)

v1.1

• gorilla/sessions has long needed an official release (although, strict version tags were less useful prior to vendoring tools)
• This version is the last version that supports gorilla/context going forward due to the incompability between its global map of *http.Requests and Go 1.7's new http.Request.WithContext(). The shallow copy of the request changes the address, causing gorilla/context's map to point to the old request.