DOC Add autologin token regeneration changes to 5.3 changelog

silverstripe · Jul 4, 2024 · 56bcbd4 · 56bcbd4
1 parent db5980e
commit 56bcbd4
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/en/08_Changelogs/5.3.0.md b/en/08_Changelogs/5.3.0.md
@@ -12,6 +12,7 @@ title: 5.3.0 (unreleased)
   - [Validation for elemental content blocks when saving individual blocks](#elemental-validation)
   - [Define scaffolded form fields for relations to `DataObject` models](#scaffolded-relation-formfields)
   - [Support for `JOIN` in SQL `UPDATE`](#sql-update-join)
+  - [Autologin token regeneration changes](#autologin-token-regeneration)
   - [Other new features](#other-new-features)
   - [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
@@ -109,6 +110,19 @@ The [`SQLUpdate`](api:SilverStripe\ORM\Queries\SQLUpdate) class now supports all
 
 This is particularly helpful if you need to update columns in one table to match values from another table.
 
+### Autologin token regeneration changes {#autologin-token-regeneration}
+
+The Autologin ('remember me') feature stores cookies in the user's browser to allow recreation of their session when it expires. Currently, one of the cookies is regenerated whenever a user's session is recreated. This can cause unexpected logouts in certain situations, and has minimal value from a security standpoint.
+
+In 5.3, this behaviour is retained, but can be disabled via configuration:
+
+```yml
+SilverStripe\Security\RememberLoginHash:
+  replace_token_during_session_renewal: false
+```
+
+From 6.0 onwards, this behaviour will be completely removed.
+
 ### Other new features
 
 - `silverstripe/linkfield` now has improved accessibility support for screen readers and keyboard navigation. Focus states have also been made consistent between keyboard and mouse interaction.