diff options
| -rw-r--r-- | CHANGES.rst | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index 753997bf4..3ad62669c 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -261,6 +261,17 @@ Backward Incompatibilities ``require_csrf`` view option to enable automatic CSRF checking. See https://github.com/Pylons/pyramid/pull/3521 +- Update the default behavior of + ``pyramid.authenticationAuthTktAuthenticationPolicy`` and + ``pyramid.authentication.AuthTktCookieHelper`` to only set a single cookie + without a domain parameter when no other domain constraints are specified. + Prior to this change, ``wild_domain=False`` (the default) was effectively + treated the same as ``wild_domain=True``, in which a cookie was defined + such that browsers would use it both for the request's domain, as well as + any subdomain. In the new behavior, cookies will only affect the current + domain, and not subdomains, by default. + See https://github.com/Pylons/pyramid/pull/3587 + Documentation Changes --------------------- |