Skip to content

Commit 6ad8933

Browse files
maxcountrymanmaxcountryman
committed
mark 0.12.0
1 parent 95798cd commit 6ad8933

File tree

3 files changed

+19
-5
lines changed

3 files changed

+19
-5
lines changed

CHANGELOG.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,19 @@
11
# Unreleased
22

3+
# 0.12.0
4+
5+
**Important Security Update**
6+
7+
- Id collision mitigation. #181
8+
9+
This release introduces a new method, `create`, to the `SessionStore` trait to distinguish between creating a new session and updating an existing one. **This distinction is crucial for mitigating the potential for session ID collisions.**
10+
11+
Although the probability of session ID collisions is statistically low, given that IDs are composed of securely-random `i128` values, such collisions pose a significant security risk. A store that does not differentiate between session creation and updates could inadvertently allow an existing session to be accessed, leading to potential session takeovers.
12+
13+
Session store authors are strongly encouraged to update and implement `create` such that potential ID collisions are handled, either by generating a new ID or returning an error.
14+
15+
As a transitional measure, we have provided a default implementation of `create` that wraps the existing `save` method. However, this default is not immune to the original issue. Therefore, it is imperative that stores override the `create` method with an implementation that adheres to the required uniqueness semantics, thereby effectively mitigating the risk of session ID collisions.
16+
317
# 0.11.1
418

519
- Ensure `session.set_expiry` updates record. #175

Cargo.toml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ members = [".", "memory-store", "tower-sessions-core"]
33
resolver = "2"
44

55
[workspace.package]
6-
version = "0.11.1"
6+
version = "0.12.0"
77
edition = "2021"
88
authors = ["Max Countryman <hello@maxcountryman.com>"]
99
license = "MIT"
@@ -40,10 +40,10 @@ signed = ["tower-cookies/signed"]
4040
private = ["tower-cookies/private"]
4141

4242
[workspace.dependencies]
43-
tower-sessions = { version = "=0.11.1", path = ".", default-features = false }
43+
tower-sessions = { version = "=0.12.0", path = ".", default-features = false }
4444

45-
tower-sessions-core = { version = "=0.11.1", path = "tower-sessions-core", default-features = false }
46-
tower-sessions-memory-store = { version = "=0.11.1", path = "memory-store" }
45+
tower-sessions-core = { version = "=0.12.0", path = "tower-sessions-core", default-features = false }
46+
tower-sessions-memory-store = { version = "=0.12.0", path = "memory-store" }
4747

4848
async-trait = "0.1.74"
4949
parking_lot = { version = "0.12.1", features = ["serde"] }

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ To use the crate in your project, add the following to your `Cargo.toml` file:
8181

8282
```toml
8383
[dependencies]
84-
tower-sessions = "0.11.1"
84+
tower-sessions = "0.12.0"
8585
```
8686

8787
## 🤸 Usage

0 commit comments

Comments
 (0)