diff options
| author | Michael Merickel <michael@merickel.org> | 2020-11-01 18:13:06 -0600 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2020-11-01 18:13:06 -0600 |
| commit | c6772eadc18056b5eed90f6a694e53579ba403a4 (patch) | |
| tree | a654be6f6f00afa0b3f6575fd950d6f0fb5ce7d9 /CHANGES.rst | |
| parent | f0a61fbe2f51173bf283989bee4085f8e839e952 (diff) | |
| download | pyramid-c6772eadc18056b5eed90f6a694e53579ba403a4.tar.gz pyramid-c6772eadc18056b5eed90f6a694e53579ba403a4.tar.bz2 pyramid-c6772eadc18056b5eed90f6a694e53579ba403a4.zip | |
add changelog for #3587
Diffstat (limited to 'CHANGES.rst')
| -rw-r--r-- | CHANGES.rst | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index 753997bf4..3ad62669c 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -261,6 +261,17 @@ Backward Incompatibilities ``require_csrf`` view option to enable automatic CSRF checking. See https://github.com/Pylons/pyramid/pull/3521 +- Update the default behavior of + ``pyramid.authenticationAuthTktAuthenticationPolicy`` and + ``pyramid.authentication.AuthTktCookieHelper`` to only set a single cookie + without a domain parameter when no other domain constraints are specified. + Prior to this change, ``wild_domain=False`` (the default) was effectively + treated the same as ``wild_domain=True``, in which a cookie was defined + such that browsers would use it both for the request's domain, as well as + any subdomain. In the new behavior, cookies will only affect the current + domain, and not subdomains, by default. + See https://github.com/Pylons/pyramid/pull/3587 + Documentation Changes --------------------- |