You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The signed part of session cookies now contain an ID field. Because of this, cookies generated by previous versions will no longer be accepted. This means after upgrading to this version every pre-existing session is logged-out and users will need to re-login.
All tls configuration sections now support the same options. For the LDAP auth backend this means that the start-tls option has been moved out of the tls section
The cookie signing key options in the configuration have been renamed to harmonize the naming convention with the tls sections. This means that private-key and public-key now expect a file name to load the keys from. To configure keys inline use the new options private-key-data and public-key-data.
The exact changes for the config file format can bee seen here
Improvements
Revoke-able Sessions
Every new session is now stored in a local database either in-memory (volatile) or inside Bolt (non-volatile).
Clicking the logout button at the built-in web UI now marks the session as revoked and then instructs the browser to delete the session cookie.
The logged-in template of the built-in web UI also shows other active sessions by the same user as well as logout buttons for those sessions.
Verify-only instances can sync revocations using HTTPs requests secured with Bearer tokens. The transferred revocation lists are singed.