http

• FileUpload: added getSuggestedExtension()
• RequestFactory: unify and fix host parsing (#229)

• requires PHP 8.1
• uses PHP 8.1 features

• support for PHP 8.3
• FileUpload: detects supported images
• RequestFactory: fixed port detection when HTTP_HOST & SERVER_PORT are used #223
• removed fix for IE

• SessionExtension: don't set readAndClose if null (#213)
• Improved https recognition behind load balancer (#221)
• RequestFactory: fix X-Forwarded-Host mixup with remote host (#222)
• RequestFactory: performance optimization #220
• RequestFactory: fixed filter detection
• Url: host can end with dot #198
• added Session::getSectionNames(), replacement for getIterator()

• SessionExtension: don't set readAndClose if null (#213)
• Improved https recognition behind load balancer (#221)
• RequestFactory: fix X-Forwarded-Host mixup with remote host (#222)
• RequestFactory: performance optimization
• RequestFactory: fixed filter detection
• Url: host can end with dot #198

BC break:

• RequestFactory: removed HTTP authentication credential from Url to prevent leak it (#211 #215)

$httpRequest->getUrl()->getUser() + getPassword()
// changed to 
[$user, $pass] = $httpRequest->getBasicCredentials();

New features:

• Request: added getBasicCredentials()
• Url, UrlImmutable: added getDefaultPort()
• RequestFactory::getHeaders() recreates Authorization header
• support for full_path upload (#207 #212)
• HttpExtension: dynamic options cookiePath, cookieDomain, cookieSecure (#216)
• constants are PascalCase

Deprecations:

• IRequest::getRemoteHost() is silently deprecated (#218)
• SessionSection: magic accessors & ArrayAccess are silently deprecated
• Session::getIterator() is deprecated

• support for PHP 8.2
• Request::getReferer() is deprecated #210
• cs

• added Request::getOrigin()
• RequestFactory: support for PHP built-in web server nette-examples/user-authentication#3
• coding style

• SessionExtension: added values 'always' & 'never' for option 'autoStart'
• Session: option 'autoStart' controls auto start on reading or writing (BC break)
• Session: added autoStart() to prevent session files from being created when the session id is spoofed
• SessionSection: remove() is not writing operation
• SessionSection: added methods set(), get(), remove()
• Session: refactoring
• Session: cleaning is done in __destruct
• Session: don't send session cookie twice
• Session: don't regenerate ID in readAndClose mode
• Session: added events $onStart & $onBeforeWrite
• Session: fixed condition in clean()

• SessionExtension: default is autoStart = false to avoid creating new session files if the session_id is spoofed (BC break)
• SessionSection: added methods set(), get(), remove()
• Session: don't send session cookie twice
• Session: don't regenerate ID in readAndClose mode
• Session: fixed condition in clean()

• support for PHP 8.1
• HttpExtension: added option 'disableNetteCookie' #205
• Session: fixed option 'readAndClose' #206
• Session: fixed condition in destroy() (#204)
• RequestFactory: urlFilters replaces only double // to single
• RequestFactory: strips trailing . from host

• HttpExtension: added option 'disableNetteCookie' #205
• Session: fixed option 'readAndClose' #206
• Session: fixed condition in destroy() (#204)
• RequestFactory: urlFilters replaces only double // to single
• RequestFactory: strips trailing . from host
• Helpers: nette-samesite is resent at each request
• IResponse: added constants SAME_SITE_*
• ScriptUrl: Fix class extendability (#187) (#188)

• added Response::sendAsFile()
• SessionSection: __get() returns reference (#191)(#192)
• Url: IDN domain automatically convert to UTF-8. (#190)

For the details you can have a look at the diff.

• requires PHP 7.2
• Response::setCookie() default $sameSite is 'Lax' (BC break)
• Response::setCookie() prevents an inappropriate combination of path and domain
• Response: deprecated $cookieHttpOnly
• Request::getFile() accepts array of keys and returns FileUpload|null (BC break)
• FileUpload::getImageSize() returns only [x, y] values (BC break)
• UrlImmutable: added withQueryParameter()
• Url: silently deprecated getBasePath(), getBaseUrl(), getRelativeUrl()
• UserStorage is deprecated by Nette\Bridges\SecurityHttp\SessionStorage

Session & Cookies

• Session: default sameSite is 'Lax' (BC break)
• SessionExtension: option session.cookieSecure is deprecated, http.cookieSecure is used (BC break)
• SessionExtension: checks that cookieSamesite is Lax|Strict|None (BC break)
• SessionSection: can read data when session is closed
• Session: deprecated getCookieParameters() triggers E_USER_DEPRECATED
• HttpExtension: added options cookiePath & cookieDomain
• HttpExtension: cookieSecure is by default 'auto' (BC break)
• cookie nette-samesite renamed to _nss

compatible with PHP 8.0

• compatible with PHP 8.0
• FileUpload: added getImageFileExtension()
• FileUpload: added getUntrustedName() as alias for getName()
• FileUpload::getSanitizedName: returns correct file extension for images
• FileUpload: fixed TypeError if getimagesize() returns false (#184)
• FileUpload::getSanitizedName: Remove redundant minus before dot. (#179)
• FileUpload::getSanitizedName: returns 'unknown' instead of empty string
• Helpers::initCookie() sends cookie nette-samesite only if doesn't exist

For the details you can have a look at the diff.

• Url::parseQuery() fixed parsing of ; #177
• RequestFactory: $xForwardedForWithoutProxies can be empty #175
• SessionPanel: uses capturing
• HttpExtension, SessionExtension: uses $initialization (requires nette/di 3.0.3)
• uses nette/utils 3.1

For the details you can have a look at the diff.

• HttpExtension: added support for 'http:' in CSP
• Session: prevents warning Cannot change session cookie parameters when session is active
• Url::parseQuery() accepts separator ;
• IResponse: added REASON_PHRASES
• HttpExtension: 'proxy' can be string

For the details you can have a look at the diff.

• Session: added read_and_close configuration (#156)
• RequestFactory: respect host set by trusted proxy (#162)
• RequestFactory: set user and password to Url (#161)
• UrlImmutable: added withoutUserInfo()
• Url, UrlImmutable: includes "empty" hostname ('0') in the host URL (#159)(#158)
• added .phpstorm.meta.php

For the details you can have a look at the diff.

• DI extensions: are using configuration Schema
• simplified code
• Session: do not regenerate session ID when is newly created
• Session: security options can not be bypassed
• Session: $started changed from static to object property
• Session: $started replaced with checking session_status() for better cooperation with the session started outside nette nette/forms#214
• RequestFactory: added workaround [] in REMOTE_ADDR #152
• Revert "HttpExtension: uses interfaces IRequest & IResponse instead of Request & Response (BC break) #90"
• SessionExtension: accepts 'cookieSamesite = true'
• Revert "Session: by default uses sameSite: Lax (BC break)"
• HttpExtension: removed option 'sameSiteProtection', cookie 'nette-samesite' is always set
• Session: validates configuration option names
• SessionPanel: uses Tracy\Helpers::escapeHtml()

For the details you can have a look at the diff.