Http Laravel Package

• support for PHP 8.5
• optimized global function calls
• Url, UrlImmutable: user & password are deprecated

• UrlImmutable, UrlScript: added resolve()
• Url: added isAbsolute() & removeDotSegments()
• UrlImmutable, UrlScript: removed build() method
• Url::canonicalize() char " does not need to be encoded
• Url, UrlImmutable: user & password are deprecated
• FileUpload::__construct() accepts path
• SessionPanel: convert templates to Latte-like syntax

• support for PHP 8.4
• FileUpload::getSanitizedName() changes the extension only for image files #239
• RequestFactory: extract port from x-forwarded-host (#230)
• FileUpload: Initialize properties (#235)(#195)
• Session: keep exceptions chain on session_start (#240)
• Session: SessionSection class template annotation #225
• IResponse: added DateTimeInterface to setCookie $expire param (#237)
• readonly properties

• FileUpload: added getSuggestedExtension()
• RequestFactory: unify and fix host parsing (#229)

• requires PHP 8.1
• uses PHP 8.1 features

• support for PHP 8.3
• FileUpload: detects supported images
• RequestFactory: fixed port detection when HTTP_HOST & SERVER_PORT are used #223
• removed fix for IE

• SessionExtension: don't set readAndClose if null (#213)
• Improved https recognition behind load balancer (#221)
• RequestFactory: fix X-Forwarded-Host mixup with remote host (#222)
• RequestFactory: performance optimization #220
• RequestFactory: fixed filter detection
• Url: host can end with dot #198
• added Session::getSectionNames(), replacement for getIterator()

• SessionExtension: don't set readAndClose if null (#213)
• Improved https recognition behind load balancer (#221)
• RequestFactory: fix X-Forwarded-Host mixup with remote host (#222)
• RequestFactory: performance optimization
• RequestFactory: fixed filter detection
• Url: host can end with dot #198

BC break:

• RequestFactory: removed HTTP authentication credential from Url to prevent leak it (#211 #215)

$httpRequest->getUrl()->getUser() + getPassword()
// changed to 
[$user, $pass] = $httpRequest->getBasicCredentials();

New features:

• Request: added getBasicCredentials()
• Url, UrlImmutable: added getDefaultPort()
• RequestFactory::getHeaders() recreates Authorization header
• support for full_path upload (#207 #212)
• HttpExtension: dynamic options cookiePath, cookieDomain, cookieSecure (#216)
• constants are PascalCase

Deprecations:

• IRequest::getRemoteHost() is silently deprecated (#218)
• SessionSection: magic accessors & ArrayAccess are silently deprecated
• Session::getIterator() is deprecated

• support for PHP 8.2
• Request::getReferer() is deprecated #210
• cs

• added Request::getOrigin()
• RequestFactory: support for PHP built-in web server nette-examples/user-authentication#3
• coding style

• SessionExtension: added values 'always' & 'never' for option 'autoStart'
• Session: option 'autoStart' controls auto start on reading or writing (BC break)
• Session: added autoStart() to prevent session files from being created when the session id is spoofed
• SessionSection: remove() is not writing operation
• SessionSection: added methods set(), get(), remove()
• Session: refactoring
• Session: cleaning is done in __destruct
• Session: don't send session cookie twice
• Session: don't regenerate ID in readAndClose mode
• Session: added events $onStart & $onBeforeWrite
• Session: fixed condition in clean()

• SessionExtension: default is autoStart = false to avoid creating new session files if the session_id is spoofed (BC break)
• SessionSection: added methods set(), get(), remove()
• Session: don't send session cookie twice
• Session: don't regenerate ID in readAndClose mode
• Session: fixed condition in clean()

• support for PHP 8.1
• HttpExtension: added option 'disableNetteCookie' #205
• Session: fixed option 'readAndClose' #206
• Session: fixed condition in destroy() (#204)
• RequestFactory: urlFilters replaces only double // to single
• RequestFactory: strips trailing . from host

• HttpExtension: added option 'disableNetteCookie' #205
• Session: fixed option 'readAndClose' #206
• Session: fixed condition in destroy() (#204)
• RequestFactory: urlFilters replaces only double // to single
• RequestFactory: strips trailing . from host
• Helpers: nette-samesite is resent at each request
• IResponse: added constants SAME_SITE_*
• ScriptUrl: Fix class extendability (#187) (#188)

• added Response::sendAsFile()
• SessionSection: __get() returns reference (#191)(#192)
• Url: IDN domain automatically convert to UTF-8. (#190)

For the details you can have a look at the diff.

• requires PHP 7.2
• Response::setCookie() default $sameSite is 'Lax' (BC break)
• Response::setCookie() prevents an inappropriate combination of path and domain
• Response: deprecated $cookieHttpOnly
• Request::getFile() accepts array of keys and returns FileUpload|null (BC break)
• FileUpload::getImageSize() returns only [x, y] values (BC break)
• UrlImmutable: added withQueryParameter()
• Url: silently deprecated getBasePath(), getBaseUrl(), getRelativeUrl()
• UserStorage is deprecated by Nette\Bridges\SecurityHttp\SessionStorage

Session & Cookies

• Session: default sameSite is 'Lax' (BC break)
• SessionExtension: option session.cookieSecure is deprecated, http.cookieSecure is used (BC break)
• SessionExtension: checks that cookieSamesite is Lax|Strict|None (BC break)
• SessionSection: can read data when session is closed
• Session: deprecated getCookieParameters() triggers E_USER_DEPRECATED
• HttpExtension: added options cookiePath & cookieDomain
• HttpExtension: cookieSecure is by default 'auto' (BC break)
• cookie nette-samesite renamed to _nss

compatible with PHP 8.0

• compatible with PHP 8.0
• FileUpload: added getImageFileExtension()
• FileUpload: added getUntrustedName() as alias for getName()
• FileUpload::getSanitizedName: returns correct file extension for images
• FileUpload: fixed TypeError if getimagesize() returns false (#184)
• FileUpload::getSanitizedName: Remove redundant minus before dot. (#179)
• FileUpload::getSanitizedName: returns 'unknown' instead of empty string
• Helpers::initCookie() sends cookie nette-samesite only if doesn't exist

For the details you can have a look at the diff.

• Url::parseQuery() fixed parsing of ; #177
• RequestFactory: $xForwardedForWithoutProxies can be empty #175
• SessionPanel: uses capturing
• HttpExtension, SessionExtension: uses $initialization (requires nette/di 3.0.3)
• uses nette/utils 3.1

For the details you can have a look at the diff.

• HttpExtension: added support for 'http:' in CSP
• Session: prevents warning Cannot change session cookie parameters when session is active
• Url::parseQuery() accepts separator ;
• IResponse: added REASON_PHRASES
• HttpExtension: 'proxy' can be string

For the details you can have a look at the diff.

• Session: added read_and_close configuration (#156)
• RequestFactory: respect host set by trusted proxy (#162)
• RequestFactory: set user and password to Url (#161)
• UrlImmutable: added withoutUserInfo()
• Url, UrlImmutable: includes "empty" hostname ('0') in the host URL (#159)(#158)
• added .phpstorm.meta.php

For the details you can have a look at the diff.

• DI extensions: are using configuration Schema
• simplified code
• Session: do not regenerate session ID when is newly created
• Session: security options can not be bypassed
• Session: $started changed from static to object property
• Session: $started replaced with checking session_status() for better cooperation with the session started outside nette nette/forms#214
• RequestFactory: added workaround [] in REMOTE_ADDR #152
• Revert "HttpExtension: uses interfaces IRequest & IResponse instead of Request & Response (BC break) #90"
• SessionExtension: accepts 'cookieSamesite = true'
• Revert "Session: by default uses sameSite: Lax (BC break)"
• HttpExtension: removed option 'sameSiteProtection', cookie 'nette-samesite' is always set
• Session: validates configuration option names
• SessionPanel: uses Tracy\Helpers::escapeHtml()

For the details you can have a look at the diff.

• Session: do not regenerate session ID when is newly created
• HttpExtension: option 'sameSiteProtection' does not change session cookie flag 'samesite'
• SessionExtension: added option handler to pass own SessionHandlerInterface (#146)

For the details you can have a look at the diff.

Features

• requires PHP 7.1
• uses declare(strict_types=1)
• uses PHP 7.1 scalar and return type hints
• added support for SameSite cookie
• Request, HttpExtension: added sameSite protection (enabled by default)
• Session: by default uses sameSite: Lax (BC break)
• Session: enabled PHP option use_strict_mode
• FileUpload: added IMAGE_MIME_TYPES
• FileUpload: Added Webp content type to isImage (#132)
• added UrlImmutable
• UrlScript: added getRelativePath() [Closes #45]

Changes

• UrlScript extends from UrlImmutable (BC break)
• Request: removed unused second parameter $query (BC break)
• IRequest, IResponse, Url: parameters $default are deprecated (BC break)
• HttpExtension: uses interfaces IRequest & IResponse instead of Request & Response (BC break) [Closes #90]
• some classes & members marked as final (BC break)
• HttpExtension: default value of secureCookie is auto (BC break)
• Session: default values for cookie_path, cookie_domain & cookie_secure are taken from Response
• Session::getCookieParameters() is deprecated
• Url::parseQuery() - correctly decodes spaces and dots in keys (BC break)
• Url: is not ignoring user & password (BC break) [Closes #63]
• RequestFactory: removed user & password from Url (BC break)
• Request::getReferer() returns UrlImmutable (BC break)

• Request, HttpExtension: added sameSite protection
• Session: added support for SameSite cookie
• Response::setCookie() supports SameSite
• SessionExtension: cookieSecure can be 'auto'
• Response: removed removeDuplicateCookies() #139
• HttpExtension: added option cookieSecure; allowed values are: true, false, auto
• HttpExtension: allows bools in CSP policy
• HttpExtension: fixed quotating in sections require-sri-for & sandbox #143
• HttpExtension: added Feature-Policy header #142
• HttpExtension: renamed csp-report to cspReportOnly (BC break)
• fixed compatibility with PHP 7.3

For the details you can have a look at the diff.

• SessionPanel: compatibility with Tracy 2.5
• coding style
• type fixes

For the details you can have a look at the diff.

• HttpExtension: allow setup CSP in restrictive and report mode at the same time #136 #135
• Session: don't call session_set_cookie_params() when values was not changed #134 #23
• Session: session id cookie is checked only if it was not regenerated #133 #129

For the details you can have a look at the diff.

• supports PHP up to 7.2
• FileUpload: uses FileSystem
• silenced each() deprecation notice in PHP 7.2

For the details you can have a look at the diff.

• coding style: fixes, lowercase true/false/null
• RequestFactory: when proxy is used and HTTP_X_FORWARDED_PORT is not available, uses default port #124
• RequestFactory: test that HTTP_X_FORWARDED_PROTO doesn't change the port
• typo
• RequestFactory: correctly ignores not-ip values in HTTP_X_FORWARDED_FOR & REMOTE_ADDR (#122)

For the details you can have a look at the diff.