From 6ad8933b4f5e71f3202f0c1a28f194f3db5234c8 Mon Sep 17 00:00:00 2001 From: Max Countryman Date: Tue, 19 Mar 2024 14:06:44 -0700 Subject: [PATCH] mark 0.12.0 --- CHANGELOG.md | 14 ++++++++++++++ Cargo.toml | 8 ++++---- README.md | 2 +- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57a2184..5642eb4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,19 @@ # Unreleased +# 0.12.0 + +**Important Security Update** + +- Id collision mitigation. #181 + +This release introduces a new method, `create`, to the `SessionStore` trait to distinguish between creating a new session and updating an existing one. **This distinction is crucial for mitigating the potential for session ID collisions.** + +Although the probability of session ID collisions is statistically low, given that IDs are composed of securely-random `i128` values, such collisions pose a significant security risk. A store that does not differentiate between session creation and updates could inadvertently allow an existing session to be accessed, leading to potential session takeovers. + +Session store authors are strongly encouraged to update and implement `create` such that potential ID collisions are handled, either by generating a new ID or returning an error. + +As a transitional measure, we have provided a default implementation of `create` that wraps the existing `save` method. However, this default is not immune to the original issue. Therefore, it is imperative that stores override the `create` method with an implementation that adheres to the required uniqueness semantics, thereby effectively mitigating the risk of session ID collisions. + # 0.11.1 - Ensure `session.set_expiry` updates record. #175 diff --git a/Cargo.toml b/Cargo.toml index b14e5ef..f076daa 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,7 +3,7 @@ members = [".", "memory-store", "tower-sessions-core"] resolver = "2" [workspace.package] -version = "0.11.1" +version = "0.12.0" edition = "2021" authors = ["Max Countryman "] license = "MIT" @@ -40,10 +40,10 @@ signed = ["tower-cookies/signed"] private = ["tower-cookies/private"] [workspace.dependencies] -tower-sessions = { version = "=0.11.1", path = ".", default-features = false } +tower-sessions = { version = "=0.12.0", path = ".", default-features = false } -tower-sessions-core = { version = "=0.11.1", path = "tower-sessions-core", default-features = false } -tower-sessions-memory-store = { version = "=0.11.1", path = "memory-store" } +tower-sessions-core = { version = "=0.12.0", path = "tower-sessions-core", default-features = false } +tower-sessions-memory-store = { version = "=0.12.0", path = "memory-store" } async-trait = "0.1.74" parking_lot = { version = "0.12.1", features = ["serde"] } diff --git a/README.md b/README.md index d2994d3..720d77c 100644 --- a/README.md +++ b/README.md @@ -81,7 +81,7 @@ To use the crate in your project, add the following to your `Cargo.toml` file: ```toml [dependencies] -tower-sessions = "0.11.1" +tower-sessions = "0.12.0" ``` ## 🤸 Usage