| http | by dg | deprecated wip | | | |
| http | by dg | removed samesite check using cookie (BC break) | | | |
| http | by dg | IRequest, IResponse: added typehints, unification (BC break) | | | |
| http | by dg | SessionSection: removed $warnOnUndefined (BC break) | | | |
| http | by dg | silently deprecated methods trigger E_USER_DEPRECATED | | | |
| http | by dg | removed deprecated stuff | | | |
| http | by dg | opened 4.0-dev | | | |
| http | by dg | Response: setCookie() supports the Partitioned (CHIPS) attribute Adds a $partitioned argument to setCookie(). When enabled it appends the
Partitioned attribute and forces Secure, which the browser requires for a
partitioned cookie. Like $sameSite, the argument lives only on Response, not on
the IResponse interface. | | | |
| http | by dg | Response: setCookie() forces Secure for SameSite=None A cookie with SameSite=None is rejected by browsers unless it also carries the
Secure attribute (RFC 6265bis). setCookie() now enables Secure automatically in
that case, overriding both the $secure argument and the cookieSecure default. | | | |
| http | by dg | Response: setCookie() sends the Max-Age attribute Adds Max-Age next to expires - Max-Age takes precedence over expires (RFC 6265)
and, unlike expires, does not depend on the client clock; expires is kept for
ancient clients. This is something setcookie()'s options array could not control.
A non-positive number of seconds clamps Max-Age to 0 (immediate deletion), so
deleteCookie() now performs a real deletion (a past time => Max-Age=0) instead
of setting a session cookie with an empty value. | | | |
| http | by dg | Response: setCookie() builds the Set-Cookie header itself instead of setcookie() Replaces the setcookie() call with a hand-built "Set-Cookie" header sent via
header(), keeping the exact same output (expires attribute, no Max-Age yet).
The value is raw-url-encoded the same way PHP reads it back from $_COOKIE, and
the name is validated the way setcookie() does - it cannot be url-encoded,
because PHP does not url-decode cookie names when reading $_COOKIE (only values),
so an encoded name would not round-trip. | | | |
| http | by dg | Helpers: added expirationToSeconds() unifying expiration parsing A numeric value (including a numeric string) is taken directly as the number of
seconds, a DateTimeInterface or a textual string (e.g. '20 minutes',
'2024-01-01') is resolved as an absolute time, and null means "no value". An
empty string is rejected as it is never meaningful.
The helper is a pure parser and applies no policy - each caller decides what
null or a non-positive result means in its own context:
- Response::setExpiration(): null or a non-positive time disables caching
- Session::setExpiration(): null restores the default lifetime, a non-positive
time throws (a lifetime in the past makes no sense)
- SessionSection::setExpiration(): null clears the expiration
- Response::setCookie(): null is a session cookie, a non-positive time deletes
it; passing integer 0 (which used to mean a session cookie) is deprecated in
favour of null | | | |
| http | by dg | Request: added Helpers::parseQualityList() and rewrote detectLanguage() on top of it parseQualityList() is a generic parser for HTTP quality-value headers
(Accept, Accept-Language, Accept-Encoding, ...). detectLanguage() now
matches case-insensitively and returns the language code in the caller's
original casing. | | | |
| http | by dg | UserStorage: removed deprecated class Replaced by Nette\Bridges\SecurityHttp\SessionStorage. | | | |
| http | by dg | Request::getRemoteHost() is deprecated and returns null [Closes #218] | | | |
| http | by dg | Request::isSameSite() is silently deprecated | | | |
| http | by dg | added Request::isFrom() WIP | | | |
| http | by dg | added IPAddress and UrlValidator IPAddress: immutable IPv4/IPv6 value object with predicates for address
class (isPublic/isPrivate/isLoopback/isLinkLocal/isMulticast/isReserved),
isInRange() for CIDR matching, and IPv4-mapped IPv6 normalization.
UrlValidator: configurable URL validator for SSRF guard. Validates scheme,
port, host allow/blocklist, userinfo, and (optionally with DNS) resolved
IP ranges. Returns resolved IPs for connection pinning via CURLOPT_RESOLVE. | | | |
| http | by dg | composer: increased dependencies versions | | | |
| http | by dg | requires PHP 8.3 | | | |
| http | by dg | opened 3.4-dev | | | |
| http | by dg | Session: clarified default-lifetime comments to reflect modern browser | | | |
| http | by dg | added CLAUDE.md | | | |
| http | by dg | cs | | | |
| application | by dg | removed {templatePrint} | | | |
| application | by dg | uses nette/routing 4.0 | | | |
| application | by dg | removed support for @annotations (BC break) | | | |
| application | by dg | Presenter: removed constructor (BC break!) | | | |
| application | by dg | Component::link() & etc uses variadic parameter | | | |
| application | by dg | Component: only UI components can be added to presenter/component (BC break) WIP | | | |
| application | by dg | Component: method checkRequirements() is called for createComponent<Name>() methods (BC break) | | | |
| application | by dg | Revert "UI\PresenterComponent: removed references created by loadState() for persistent parameters. [Closes nette/nette#703][Closes nette/nette#703][Closes #69]" (possible BC break) This reverts commit cda17f460d020b0f042364d4e140742022a7e94d.
See https://forum.nette.org/cs/35528-stejne-pojmenovany-parametr-akce-presenteru-a-persistentni-odlisne-chovani-v-nette-2-0-oproti-aktualnimu#p221742
BC break: Property must be nullable, ie: #[Persistent] public ?int $foo | | | |