docs/releases/v3.2.1.rst
Security fixes
* The signed-value format used by `.RequestHandler.set_secure_cookie`
and `.RequestHandler.get_secure_cookie` has changed to be more secure.
**This is a disruptive change**. The ``secure_cookie`` functions
take new ``version`` parameters to support transitions between cookie
formats.
* The new cookie format fixes a vulnerability that may be present in
applications that use multiple cookies where the name of one cookie
is a prefix of the name of another.
* To minimize disruption, cookies in the older format will be accepted
by default until they expire. Applications that may be vulnerable
can reject all cookies in the older format by passing ``min_version=2``
to `.RequestHandler.get_secure_cookie`.
* Thanks to Joost Pol of `Certified Secure <https://www.certifiedsecure.com>`_
for reporting this issue.
Backwards-compatibility notes
.RequestHandler.set_secure_cookie in Tornado
3.2.1 cannot be read by older releases. If you need to run 3.2.1
in parallel with older releases, you can pass version=1 to
.RequestHandler.set_secure_cookie to issue cookies that are
backwards-compatible (but have a known weakness, so this option
should only be used for a transitional period).Other changes
* The C extension used to speed up the websocket module now compiles
correctly on Windows with MSVC and 64-bit mode. The fallback to
the pure-Python alternative now works correctly on Mac OS X machines
with no C compiler installed.