Release 2.5

• Bugfix: session.save close argument was not defaulting to true.

Release 2.4

• Feature: Cookie will now have SameSite attribute set as Lax by default. You can turn it off or set to Strict by configuration.
• Change: Calling save will now also set session.id if the save was called without calling start first. See Also: #27, Thanks @hcaihao

Release 2.3

• Bugfix: Fixes issue #19 where regenerating session would throw an error when using cookie storage. See Also: #19. Thanks @hulu1522.

Release 2.2

• Change: Removed all session_cipher_* deprecated settings (it was somewhat broken in 2.1).
• Change: Changed session secret to be by default 32 bytes random data (See Also: #18) Thanks @iain-buclaw-sociomantic
• Documentation: Added documentation about removed features and corrected about session secret size accordingly.

Release 2.1

• Feature: Added architecture for Cipher adapter plugins. (See Also: #16) Thanks @mingfang
• Feature: Implemented AES cipher adapter (just like it was before)
• Feature: Implemented None cipher adapter (no encryption)
• Change: Changed JSON serializer to use cjson.safe instead
• Documentation: Added documentation about pluggable ciphers

Release 2.0

• Feature: Added architecture for Storage adapter plugins. (See Also: #13)
• Feature: Implemented Client Side Cookie storage adapter.
• Feature: Implemented Memcache storage adapter. (See Also: #14) Thanks @zandbelt
• Feature: Implemented Redis storage adapter.
• Feature: Implemented Shared Dictionary (shm) storage adapter.
• Feature: Added architecture for Encoder and Decoder plugins.
• Feature: Implemented Base 64 encoder / decoder.
• Feature: Implemented Base 16 (hex) encoder / decoder.
• Feature: Added architecture for Serializer plugins
• Feature: Implemented JSON serializer.
• Feature: Persistent cookies will now also contain Max-Age in addition to Expires.
• Change: Cookie domain attribute is not set anymore if not specified.
• Documentation: Added notes about using lua-resty-session with Lua code cache turned off. (See also: #15) Thanks @BizShuk

Release 1.7

• Feature: Added session.open() function that only opens a session but doesn't send the cookie (until start is called). See also: #12 (Thanks @junhanamaki)
• Bugfix: Fixed cookie expiration time format on Firefox bug: #10 (Thanks @junhanamaki)
• Bugfix: Fixed an issue of overwriting a variable: #11 (Thanks @junhanamaki)

Release 1.6

• Bugfix: Fixed truncated cookie value bug: #8 (Thanks @kipras)

Release 1.5

• Bugfix: Cookies are not always "secure": #5 @vladimir-smirnov-sociomantic
• Documentation: Added documentation about Nginx SSL/TLS configuration settings related to session lifetime and ssl session ids.

Release 1.4

• Bugfix: Fixed an issue where session configurations did get cached on a module level. This issue is discussed in pull-request #4: #4 (Thanks @kipras).
• Feature: Added session.new function.
• Change: session.start{ ... } (a call with config parameters) works now as expected.
• Change: session.start now returns additional extra boolean parameter that can be used to check if the session is s new session (false) or s previously started one (true).
• Documentation: Added documentation about Nginx configuration used as defaults (not read on every request), and documented session.new.