docs: add changelog and upgrading

kenjis · MGatner · commit 3bbd391a51c5 · 2022-12-22T02:35:04.000Z
diff --git a/user_guide_src/source/changelogs/v4.2.11.rst b/user_guide_src/source/changelogs/v4.2.11.rst
@@ -13,11 +13,15 @@ SECURITY
 ********
 
 - *Attackers may spoof IP address when using proxy* was fixed. See the `Security advisory GHSA-ghw3-5qvm-3mqc <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-ghw3-5qvm-3mqc>`_ for more information.
+- *Potential Session Handlers Vulnerability* was fixed. See the `Security advisory GHSA-6cq5-8cj7-g558 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-6cq5-8cj7-g558>`_ for more information.
 
 BREAKING
 ********
 
 - The ``Config\App::$proxyIPs`` value format has been changed. See :ref:`Upgrading Guide <upgrade-4211-proxyips>`.
+- The key of the session data record for :ref:`sessoins-databasehandler-driver`,
+  :ref:`sessoins-memcachedhandler-driver` and :ref:`sessoins-redishandler-driver`
+  has changed. See :ref:`Upgrading Guide <upgrade-4211-session-key>`.
 
 Bugs Fixed
 **********
diff --git a/user_guide_src/source/installation/upgrade_4211.rst b/user_guide_src/source/installation/upgrade_4211.rst
@@ -29,6 +29,29 @@ The config value format has been changed. Now you must set your proxy IP address
 
 ``ConfigException`` will be thrown for old format config value.
 
+.. _upgrade-4211-session-key:
+
+Session Handler Key Changes
+===========================
+
+The key of the session data record for :ref:`sessoins-databasehandler-driver`,
+:ref:`sessoins-memcachedhandler-driver` and :ref:`sessoins-redishandler-driver`
+has changed. Therefore, any existing session data will be invalidated after
+the upgrade if you are using these session handlers.
+
+- When using ``DatabaseHandler``, the ``id`` column value in the session table
+  now contains the session cookie name (``Config\App::$sessionCookieName``).
+- When using ``MemcachedHandler`` or ``RedisHandler``, the key value contains
+  the session cookie name (``Config\App::$sessionCookieName``).
+
+There is maximum length for the ``id`` column and Memcached key (250 bytes).
+If the following values exceed those maximum length, the session will not work properly.
+
+- the session cookie name, delimiter, and session id (32 characters by default)
+  when using ``DatabaseHandler``
+- the prefix (``ci_session``), session cookie name, delimiters, and session id
+  when using  ``MemcachedHandler``
+
 Project Files
 *************
 
@@ -46,3 +69,4 @@ many will be simple comments or formatting that have no effect on the runtime:
 * app/Config/Toolbar.php
 * app/Views/welcome_message.php
 * composer.json
+
