===========================
May 5, 2014
-----------
Security fixes
~~~~~~~~~~~~~~
* The signed-value format used by `.RequestHandler.set_secure_cookie`
and `.RequestHandler.get_secure_cookie` has changed to be more secure.
**This is a disruptive change**. The ``secure_cookie`` functions
take new ``version`` parameters to support transitions between cookie
formats.
* The new cookie format fixes a vulnerability that may be present in
applications that use multiple cookies where the name of one cookie
is a prefix of the name of another.
* To minimize disruption, cookies in the older format will be accepted
by default until they expire. Applications that may be vulnerable
can reject all cookies in the older format by passing ``min_version=2``
to `.RequestHandler.get_secure_cookie`.
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Signed cookies issued by `.RequestHandler.set_secure_cookie` in Tornado
3.2.1 cannot be read by older releases. If you need to run 3.2.1
in parallel with older releases, you can pass ``version=1`` to
`.RequestHandler.set_secure_cookie` to issue cookies that are
backwards-compatible (but have a known weakness, so this option
should only be used for a transitional period).
Other changes
~~~~~~~~~~~~~
* The C extension used to speed up the websocket module now compiles
correctly on Windows with MSVC and 64-bit mode. The fallback to
the pure-Python alternative now works correctly on Mac OS X machines
with no C compiler installed.