v1.3.5

Fix the "Expires" date format and add "Max-Age=0;" when deleting a cookie.

This change does not affect the security of secure cookies.

v1.3.4

Add method to get the values and stamp of cookies with same name in a request.

In some particular conditions, http clients may send requests with multiple cookies where some have the same name. The added method GetValues allows to retrieve all the values with the respective time stamp of generation, or the corresponding errors if any.

This change doesn't affect security of the cookie and is backward compatible.

v1.3.3

Add the method GetValueAndStamp that returns the value and the time when it was set with SetValue.

The API modification of this release is backward compatible and it doesn't affect security.

v1.3.2

Add a retract directive to go.mod for all previous releases because of various bug fixes.

Bugs don’t affect security. They only affect usability. Use the latest version to avoid any problems.

v1.3.1

This release fix issue #19 preventing from creating session cookies. A cookie with MaxAge 0 can now be created and read back without error.

v1.3.0

add SameSite parameter as requested in issue #11.

By default, SameSite is undefined and unspecified in Set-Cookie. Acceptable values are securecookie.None, securecookie.Lax and securecookie.Strict. A SameSite parameter with value None is specified in Set-Cookie only when Secure is true.

v1.2.0

Add accessor method Name() and complete example.

v1.1.0

Add function MustGenerateRandomKey. This function calls GenerateRandomKey and panics if it returns an error. This function is intended to be used to initialize the key outside of any function like this:

var cookiesKey = securecookie.MustGenerateRandomKey()
var myCookie = securecookie.MustNew("myCookie", cookiesKey, securecookie.Params{
		Path:     "/sec",        // cookie received only when URL starts with this path
		Domain:   "example.com", // cookie received only when URL domain matches this one
		MaxAge:   3600,          // cookie becomes invalid 3600 seconds after it is set
		HTTPOnly: true,          // disallow access by remote javascript code 
		Secure:   true,          // cookie received only with HTTPS, never with HTTP
})
func main() {
    ...
}

Full SemVer version for go module recognition

This is the same release as v1.0 with the difference that the tag is now v1.0.0 so that it is recognized by go module tools.

v1.0

Stable version v1.0 is out.

• The API and the secure cookie encoding are unchanged. v1.0 is backward compatible with v6.0 and v5.0.
• Code and comments have been cleaned up.
• The base64 encoding and decoding have been optimized (x2 for decoding). But the total time did not change much because it represent only 5% on the total time.
• Benchmarks were not updated because they stayed roughly the same.
• securecookie is now a module, and has been compiled and tested with go1.11.

Thank you to all the contributors. Feedback and bug fix are welcome.