#840956 (Bug #72712) Made the details about changes to reviewers (e.g. 'Added user as a required reviewer') easier to distinguish from the description of the review in email notifications.
#840731 (Bug #72698) Adjusted edit reviewers activity to clearly report when users are added. Previously we just stated 'Made user a required reviewer'; it was unclear if they were being added or edited.
#838036, #838043, #838150 (Bug #61429) Added CSRF protection to all mutative actions. For authenticated users, requests that are not a GET (e.g. POST, DELETE, PATCH, etc.) must now include a valid _csrf token. Actions which are 'login_exempt' or 'csrf_exempt' do not require the token to be passed.
#835869 (Bug #72611) Fixed an issue where Swarm was not setting the 'Remember me' cookie with the secure flag when appropriate.
#835868 (Bugs #72548, #72568) Swarm can now be used in deployments where a proxy/balancer handles encryption and forwards plain HTTP traffic on to the Swarm server. When 'https_strict' is enabled, we now always send the HSTS header and we always flag cookies as secure only. Additionally, we now allow the administrator to disable the HTTPS redirect for HTTP clients by setting 'https_strict_redirect' to false under the 'security' config.
#835821 (Bug #72565) We now only start a session when needed (e.g. anonymous users don't get a session until they try to login). We also attempt to clear the session cookie on logout or session expiration.
#835815, #835866 (Bug #72678) The diff endpoint will now produce a 404 error when attempting to diff a non-existent file. Previously a 500 error was produced.
#835789 (Bug #72566) Swarm now supports specifying a session lifetime. If the session is not accessed for the specified duration, the user will be logged out. By default the duration is 30 days but can be adjusted by setting the 'gc_maxlifetime' under the 'session' config. This feature will apply when using the default file based session storage. Other storage backends are presently unverified.
#835577 (Bug #72564) Swarm no longer sends two Set-Cookie headers for the SWARM session ID on login. There is no functional change, this is just an aesthetic improvement to the response.
#835554 (Bug #72571) Fixed an issue where toggling the 'Remember me' checkbox on login did not correctly adjust the session lifetime.