
Version 1.2

- Cookies set on an HTTPS connection are now marked as secure, meaning
  they will not be transmitted over HTTP.

- CookieCrumbler now lets you disable or modify the Cache-Control
  header to work around MSIE's irrational handling of the Cache-Control
  header.  See MS knowledge base article #316431.

- The credentialsChanged() method was generating an incorrect cookie.
  Thanks to Richard Jones for finding this elusive bug.

- Made compatible with Zope 2.7 by raising Redirect exception instances
  rather than a string.


Version 1.1

- CookieCrumblers are now folders that hold login forms.  This makes
  it easier to use CookieCrumblers in sites that disallow anonymous
  access.  You now only need to grant the "View" permission to anonymous
  users in the context of the cookie crumbler.


Version 1.0

- Added unit tests.

- You can now specify what page authenticated users should see when
  Unauthorized errors occur.

- Login redirection now restores the query string.

- Reformatted CookieCrumbler.py to match the version in CMFCore.  This
  will make it easier to keep the two copies in sync.

- Changed the meta_type to not conflict with the version in CMFCore.

- Fixed CookieCrumbler to emit "Basic" and not "basic" auth as per HTTP
  spec (CMF Collector #14). This fixes some WebDAV locking problems with
  (rightfully) picky clients, like ExternalEditor.

- A "Cache-Control: no-cache" header is now sent along in responses
  that employ cookie auth to avoid potential security issues with
  public caches serving stored "authorized" pages.


Version 0.5

- Cookie crumblers were causing an authentication error on logout.
  Corrected.

- Cookie paths weren't being set correctly when local paths were turned
  on.  Actually, the enabling of local paths was reversed from what the
  checkbox label implied, doubling the confusion.

- Made sure inner cookie crumblers can override the logout form.


Version 0.4

- CookieCrumblers in nested folders are now possible.  You can just drop
  in a cookie crumbler anywhere to change the login form for that area of
  the site.  In fact, now you don't have to create a user folder just
  to change the login process.

- There is now a workaround for the problem with cookies being set even
  though the user entered an incorrect password.  RESPONSE.unauthorized()
  now cancels the cookie response header.  The new login_form and
  logged_in form both try to invoke unauthorized(), so make sure you
  install the new forms.

- Merged WebDAV source port fix from CMFCore

