Released on December 2nd, 2017
- New config option USE_SESSION_FOR_NEXT to enable storing next url in session
instead of url. 330
- Accept int seconds along with timedelta for REMEMBER_COOKIE_DURATION. 370
- New config option FORCE_HOST_FOR_REDIRECTS to force host for redirects. 371
Released on October 26th, 2016
- Fixes OPTIONS exemption from login. 244
- Fixes use of MD5 by replacing with SHA512. 264
- BREAKING: The `login_manager.token_handler` function, `get_auth_token` method
on the User class, and the `utils.make_secure_token` utility function have
been removed to prevent users from creating insecure auth implementations.
Use the `Alternative Tokens` example from the docs instead. 291
Released on October 8th, 2015
- Fixes Python 2.6 compatibility.
- Updates SESSION_KEYS to include "remember".
Released on September 30th, 2015
- Fixes removal of non-Flask-Login keys from session object when using 'strong'
Released on September 10th, 2015
- Fixes handling of X-Forward-For header.
- Update to use SHA512 instead of MD5 for session identifier creation.
- Fixes session creation for every view.
- BREAKING: UTC used to set cookie duration.
- BREAKING: Non-fresh logins now returns HTTP 401.
- Support unicode user IDs in cookie.
- Fixes user_logged_out signal invocation.
- Support for per-Blueprint login views.
- BREAKING: The `is_authenticated`, `is_active`, and `is_anonymous` members of
the user class are now properties, not methods. Applications should update
their user classes accordingly.
- Various other improvements including documentation and code clean up.
Released on May 19th, 2014
- Fixes missing request loader invocation when authorization header exists.
Released on March 9th, 2014
- Generalized `request_loader` introduced; ability to log users in via
customized callback over request.
- Fixes request context dependency by explicitly checking `has_request_context`.
- Fixes remember me issues since lazy user loading changes.
Released on December 28th, 2013
- Fixes anonymous user assignment.
- Fixes localization in Python 3.
Released on December 21st 2013
- Support login via authorization header. This allows login via Basic Auth, for
example. Useful in an API presentation context.
- Ability to override user ID method name. This is useful if the ID getter is
named differently than the default.
- Session data is now only read when the user is requested. This can be
beneficial for cookie and caching control when differenting between
requests that use user information for rendering and ones where all users
(including anonymous) get the same result (e.g. static pages)
- BREAKING: User *must* always be accessed through the ``current_user``
local. This breaks any previous direct access to ``_request_ctx.top.user``.
This is because user is not loaded until current_user is accessed.
- Fixes unnecessary access to the session when the user is anonymous
and session protection is active.
- Fixes issue where order dependency of applying the login manager
before dependent applications was required.
- Fixes Python 3 ``UserMixin`` hashing.
- Fixes incorrect documentation.
Prior to 0.2.8, no proper changelog was kept.