Session tracks the user agent in the session, to add some detection of
stolen session IDs. However this was causing a session to always be
created, even if this request didnt store any data in the session.
By default, the Session.timeout configuration option specifies the total
session time, regardless of the amount of activity. This change means
that the timeout specifies how long without any further dynamic requests
before the session cookie expires.
The way it does this is to re-set the session cookie expiry with a
subsequent Set-Cookie command each time a request that necessitates
a session is called.
Strictly speaking, it's a change in session timeout semantics, but I think
it's a good one, because total-session-time-regardless-of-activity is a
stupid timeout to include, and has more to do with the mechanics of the
internet than with application security requirements.
Regression introduced by Config API static changes.
Effectively meant that you can no longer log in to the CMS
since the cookie path is set for each URL individually...
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer.