mark 0.12.0

maxcountryman · Mar 19, 2024 · 6ad8933 · 6ad8933
1 parent 95798cd
commit 6ad8933
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Unreleased
 
+# 0.12.0
+
+**Important Security Update**
+
+- Id collision mitigation. #181
+
+This release introduces a new method, `create`, to the `SessionStore` trait to distinguish between creating a new session and updating an existing one. **This distinction is crucial for mitigating the potential for session ID collisions.**
+
+Although the probability of session ID collisions is statistically low, given that IDs are composed of securely-random `i128` values, such collisions pose a significant security risk. A store that does not differentiate between session creation and updates could inadvertently allow an existing session to be accessed, leading to potential session takeovers.
+
+Session store authors are strongly encouraged to update and implement `create` such that potential ID collisions are handled, either by generating a new ID or returning an error.
+
+As a transitional measure, we have provided a default implementation of `create` that wraps the existing `save` method. However, this default is not immune to the original issue. Therefore, it is imperative that stores override the `create` method with an implementation that adheres to the required uniqueness semantics, thereby effectively mitigating the risk of session ID collisions.
+
 # 0.11.1
 
 - Ensure `session.set_expiry` updates record. #175

diff --git a/Cargo.toml b/Cargo.toml
@@ -3,7 +3,7 @@ members = [".", "memory-store", "tower-sessions-core"]
 resolver = "2"
 
 [workspace.package]
-version = "0.11.1"
+version = "0.12.0"
 edition = "2021"
 authors = ["Max Countryman <hello@maxcountryman.com>"]
 license = "MIT"
@@ -40,10 +40,10 @@ signed = ["tower-cookies/signed"]
 private = ["tower-cookies/private"]
 
 [workspace.dependencies]
-tower-sessions = { version = "=0.11.1", path = ".", default-features = false }
+tower-sessions = { version = "=0.12.0", path = ".", default-features = false }
 
-tower-sessions-core = { version = "=0.11.1", path = "tower-sessions-core", default-features = false }
-tower-sessions-memory-store = { version = "=0.11.1", path = "memory-store" }
+tower-sessions-core = { version = "=0.12.0", path = "tower-sessions-core", default-features = false }
+tower-sessions-memory-store = { version = "=0.12.0", path = "memory-store" }
 
 async-trait = "0.1.74"
 parking_lot = { version = "0.12.1", features = ["serde"] }

diff --git a/README.md b/README.md
@@ -81,7 +81,7 @@ To use the crate in your project, add the following to your `Cargo.toml` file:
 
 ```toml
 [dependencies]
-tower-sessions = "0.11.1"
+tower-sessions = "0.12.0"
 ```
 
 ## 🤸 Usage