From 56bcbd4b5a7761b15aab4172ee859ac882e3d6ca Mon Sep 17 00:00:00 2001 From: Garion Herman Date: Thu, 4 Jul 2024 10:08:20 +0900 Subject: [PATCH] DOC Add autologin token regeneration changes to 5.3 changelog --- en/08_Changelogs/5.3.0.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/en/08_Changelogs/5.3.0.md b/en/08_Changelogs/5.3.0.md index 67ad84290..956663323 100644 --- a/en/08_Changelogs/5.3.0.md +++ b/en/08_Changelogs/5.3.0.md @@ -12,6 +12,7 @@ title: 5.3.0 (unreleased) - [Validation for elemental content blocks when saving individual blocks](#elemental-validation) - [Define scaffolded form fields for relations to `DataObject` models](#scaffolded-relation-formfields) - [Support for `JOIN` in SQL `UPDATE`](#sql-update-join) + - [Autologin token regeneration changes](#autologin-token-regeneration) - [Other new features](#other-new-features) - [API changes](#api-changes) - [Bug fixes](#bug-fixes) @@ -109,6 +110,19 @@ The [`SQLUpdate`](api:SilverStripe\ORM\Queries\SQLUpdate) class now supports all This is particularly helpful if you need to update columns in one table to match values from another table. +### Autologin token regeneration changes {#autologin-token-regeneration} + +The Autologin ('remember me') feature stores cookies in the user's browser to allow recreation of their session when it expires. Currently, one of the cookies is regenerated whenever a user's session is recreated. This can cause unexpected logouts in certain situations, and has minimal value from a security standpoint. + +In 5.3, this behaviour is retained, but can be disabled via configuration: + +```yml +SilverStripe\Security\RememberLoginHash: + replace_token_during_session_renewal: false +``` + +From 6.0 onwards, this behaviour will be completely removed. + ### Other new features - `silverstripe/linkfield` now has improved accessibility support for screen readers and keyboard navigation. Focus states have also been made consistent between keyboard and mouse interaction.