CHANGES
=======

3.9.5 (2011-08-11)
------------------

- LP #824355:  enable support for HttpOnly cookies.

- Fix a bug in zope.session.session.Session that would trigger an
  infinite loop if either iteration or a containment test were
  attempted on an instance.


3.9.4 (2011-03-07)
------------------

- Added an explicit `provides` to the IClientId adapter declaration in
  adapter.zcml.

- Added option to disable implicit sweeps in
  PersistentSessionDataContainer.


3.9.3 (2010-09-25)
------------------

- Added test extra to declare test dependency on ``zope.testing``.

- Using Python's ``doctest`` module instead of depreacted
  ``zope.testing.doctest``.


3.9.2 (2009-11-23)
------------------

- Fix Python 2.4 hmac compatibility issue by only using hashlib in
  Python versions 2.5 and above.

- Use the CookieClientIdManager's secret as the hmac key instead of the
  message when constructing and verifying client ids.

- Make it possible to construct CookieClientIdManager passing cookie namespace
  and/or secret as constructor's arguments.

- Use zope.schema.fieldproperty.FieldProperty for "namespace" attribute of
  CookieClientIdManager, just like for other attributes in its interface.
  Also, make ICookieClientIdManager's "namespace" field an ASCIILine, so
  it accepts only non-unicode strings for cookie names.


3.9.1 (2009-04-20)
------------------

- Restore compatibility with Python 2.4.


3.9.0 (2009-03-19)
------------------

- Don't raise deprecation warnings on Python 2.6.

- Drop dependency on ``zope.annotation``. Instead, we make classes implement
  `IAttributeAnnotatable` in ZCML configuration, only if ``zope.annotation``
  is available. If your code relies on annotatable `CookieClientIdManager`
  and `PersistentSessionDataContainer` and you don't include the zcml classes
  configuration of this package, you'll need to use `classImplements` function
  from ``zope.interface`` to make those classes implement `IAttributeAnnotatable`
  again.

- Drop dependency on zope.app.http, use standard date formatting function
  from the ``email.utils`` module.

- Zope 3 application bootstrapping code for session utilities was moved into
  zope.app.appsetup package, thus drop dependency on zope.app.appsetup in this
  package.

- Drop testing dependencies, as we don't need anything behind zope.testing and
  previous dependencies was simply migrated from zope.app.session before.

- Remove zpkg files and zcml slugs.

- Update package's description a bit.


3.8.1 (2009-02-23)
------------------

- Add an ability to set cookie effective domain for CookieClientIdManager.
  This is useful for simple cases when you have your application set up on
  one domain and you want your identification cookie be active for subdomains.

- Python 2.6 compatibility change. Encode strings before calling hmac.new()
  as the function no longer accepts the unicode() type.


3.8.0 (2008-12-31)
------------------

- Add missing test dependency on ``zope.site`` and
  ``zope.app.publication``.


3.7.1 (2008-12-30)
------------------

- Specify i18n_domain for titles in apidoc.zcml

- ZODB 3.9 no longer contains
  ZODB.utils.ConflictResolvingMappingStorage, fixed tests, so they
  work both with ZODB 3.8 and 3.9.


3.7.0 (2008-10-03)
------------------

New features:

- Added a 'postOnly' option on CookieClientIdManagers to only allow setting
  the client id cookie on POST requests.  This is to further reduce risk from
  broken caches handing the same client id out to multiple users. (Of
  course, it doesn't help if caches are broken enough to cache POSTs.)


3.6.0 (2008-08-12)
------------------

New features:

- Added a 'secure' option on CookieClientIdManagers to cause the secure
  set-cookie option to be used, which tells the browser not to send the
  cookie over http.

  This provides enhanced security for ssl-only applications.

- Only set the client-id cookie if it isn't already set and try to
  prevent the header from being cached.  This is to minimize risk from
  broken caches handing the same client id out to multiple users.


3.5.2 (2008-06-12)
------------------

- Remove ConflictErrors caused on SessionData caused by setting
  ``lastAccessTime``.


3.5.1 (2008-04-30)
------------------

- Split up the ZCML to make it possible to re-use more reasonably.


3.5.0 (2008-03-11)
------------------

- Change the default session "resolution" to a sane value and document/test it.


3.4.1 (2007-09-25)
------------------

- Fixed some meta data and switch to tgz release.


3.4.0 (2007-09-25)
------------------

- Initial release

- Moved parts from ``zope.app.session`` to this packages
