Important security updates Siena 0.9.11 and Genoa 0.6.24 2012-08-01

You have probably seen the recent news about database leaks at LinkedIn, Yahoo, etc. So you may be worried what happens to your users if your database is stolen somehow. The good news is that passwords are not stored as plain text but are hashed with MD5. The bad news is that MD5 is rather easy to bruteforce.

So, we made some major improvements to the way passwords are hashed in Cotonti and it is now using SHA256 with random salts by default, provides some hashing options and gives plugin developers an opportunity to implement their own hashing methods. An update is recommended to both Siena and Genoa users. After upgrade, existing user passwords will still be hashed with MD5, but as soon as they change their passwords, new hashing functions will be applied.

The Genoa update 0.6.24 includes one more security patch, so it is highly recommended to update if you let strangers enter your Administration panel.

The Siena update 0.9.11 includes lots of bug fixes and enhancements including Daylight Saving Time support. See release notes for more information.

Siena 0.9.10 released 2012-06-01

We are glad to announce you Cotonti Siena 0.9.10 which may be considered as a "beta" because now we are just a few tasks away from 1.0. Here is the list of changes in this release:

• Simple XML sitemap plugin and Autoalias in the standard package.
• Cache options in news and recentitems plugins for index page to load faster for guests.
• Ability to delete a page by clicking a link rather than submitting a form.
• Custom themes support and fixes in JS/CSS consolidator.
• "Installed only" view in Administration / Extensions.
• Custom breadcrumbs resources for themes, resources and lang files in admin themes.
• Fixed more than 18 bugs.

For more information see release notes.

This month we're starting several important social activities here at cotonti.com, so follow the news feed.

Cotonti and the EU e-Privacy Directive 2012-05-28

On May 26th, 2011, the European Union accepted a new legislative directive regarding the use of web cookies. Also known as the Cookie Law, it applies to how you use cookies and similar technologies for storing information on a user’s equipment such as their computer or mobile device. It means that you have to get your visitors informed consent before placing a cookie on their machine. The law officially came into effect on May 26th, 2012, but since each EU member state has to implement its own version of the law, enforcement of the law may be delayed.

The law applies to cookies set by websites owned by organizations or individuals operating/living in the European Union. The law allows an exception for cookies which are "strictly necessary for a service requested by a user", such as those used to remember when something has been added to a shopping basket or allowing users to login. These cookies would be implicitly expected by the user. However, the law always applies to cookies which store personal information (such as names and email addresses).

The Cotonti CMS uses only one cookie. This cookie is used to store the user ID and session identifier after a user logs in. No personal information is involved. Also, the cookie is opt-in, meaning it's only stored if the user enables the 'remember me' checkbox on the login form. However, Cotonti does allow to force the 'remember me' option through the admin panel, which would hide the 'remember me' checkbox and enable it in the background. Since this behavior is not implicitly expected by a user, nor is the cookie a requirement for Cotonti to operate, forcing the 'remember me' option would probably not be allowed under the new law.

We recommend to do the following:

• Disable the 'Force remember me' setting in Admin => Config => Users.
• Make sure the 'Remember me' checkbox appears in the login form, otherwise check your template files.
• Add a short text below the login form, or in the general conditions / privacy policy of your site, explaining the 'Remember me' feature will store a cookie on the visitor's computer containing anonymous session data.

Important note

Since each EU member state has to implement its own version of the law (the EU version is just a directive), details of the law may be different between countries. For example, the Dutch version also includes legislation on net neutrality. You should therefore inform yourself of the exact details of the law in your own country. The Cotonti Team and the author of this article accept no liability for any inaccuracies in the article. It's your own responsibility to ensure your site complies with local and international laws.

Security update Siena 0.9.9 2012-04-15

An SQL injection vulnerability has been found recently in Administration part of Polls module by vekt0r, so we release 0.9.9 shortly as a security update for 0.9.x branch.

This update also includes significant changes in site security system and fixes for all recently discovered bugs.

Head to release notes page for more information.

Siena 0.9.8 is available 2012-04-02

Thanks to the increasing interest for Cotonti Siena in the community during last 2 months, together we have found and solved over 33 bugs and made about 20 requested enhancements. The most important features in this release include:

• Extension categories. Plugins are grouped by category in the Installer and there is Category View in Administration / Extensions.
• A “Multihost” mode which allows the site to run on multiple host names and ports. See $cfg['multihost'] in config.php.
• Built-in CAPTCHA management and Security section in Configuration.
• Extra fields are supported in Forums, Comments and Contact.
• An option to log out from all devices at once.
• Category filter in Recent Items plugin.

Visit the release page to see other new features and more details.

By the way, do you have a cool site running Cotonti? Don't forget to add it to our showcase. It helps to demonstrate the newcomers what can be done using this wonderful system.

3 years on air! 2012-02-01

Our project has been publicly available for 3 years by now! It's hard to believe but time passes so fast. I like measuring the progress by statistics, so here are some interesting facts about what we have achieved during these 3 years:

• 36 releases! it is exactly 1 release per month on the average;
• 20 people have made 4658 commits in our repository, of which 2284 are in the main branch;
• 804 tasks completed;
• 27242 downloads of just the core packages;
• 165 plugins added to the downloads section;
• main branch code base has grown from 30k lines to 63k lines of code.

Quite impressive, isn't it? And how about the birthday present? Here it is! It's called "Siena 0.9.7" and it contains over 30 bugfixes and over 10 enhancements among which there are:

• Improved versioning and dependency checks in Administration / Extensions
• Improved output and error pages for fatal errors, read more... and more
• CKEditor 3.6.2
• HTMLPurifier 4.4.0
• PFS links for comments
• SEO: correct canonical URLs and no duplicate URLs in forums
• Hook for plugins and third-party presets in URLEditor
• Meta keywords for page lists
• Page start date updated upon publications

Now it's time to celebrate!

Genoa 0.6.21 is available 2012-01-15

What's new:

• CoTemplate 2.7.2 backported from Cotonti Siena (supports FOR loops and fixes a bug in expressions).
• Sites can run on custom HTTP ports other than 80.
• All page TPL-tags are available in tag search results (tags plugin).

Happy New Year 2012! 2011-12-31

Cotonti Team and Community wishes you all the best in the New Year 2012. We have prepared some presents which could be useful for you in the upcoming year:

• Adminizio, an alternative administration panel theme for Cotonti Siena.
• A whole garland of fresh plugins: CLeditor, FancyBox, Lastcommentsa, PageMultiAvatar, PHPMailer, OpenInviter, MobiSwitcher.
• Some ongoing updates in Facebook plugins.
• Pieter has updated Gameportal theme for Genoa and just released a Siena version. Dragonzap released his alternative administration panel theme and gallery plugin a while ago.

And guess what? TPL Tags Repository is back online, supporting both Siena and Genoa branches simultaneously!

2012 is going to be a great year for Cotonti project: it will reach v1.0.0, grow stability, documentation, the number of long awaited extensions and new themes. Let it be a great year for you too!

Siena 0.9.6 released 2011-12-05

We continue improving Siena branch on our way to 1.0.0 release. What's new in 0.9.6:

• CoTemplate 2.7 with FOR loops
• Page drafts
• Rightless user groups (more lightweight)
• jQuery 1.7.1
• Debug mode for hooks
• Over 10 other enhancements
• Over 25 bugs fixed

For more information please visit Release notes.

You might notice that we had a poll a while ago to pick the best name for 1.0.x branch. The name of Valencia has been the most popular. However, at Cotonti Team we decided to continue using Siena as the name for 1.0.x branch for 2 obvious reasons: a) 1.0.x is fully compatible with 0.9.x; b) rebranding is quite an expensive thing. So we will use those wonderful names of Avila and Valencia later when it is really time for a new branch name.

Another message from Cotonti headquarters: the developers have shifted their focus from development of new features to stabilization of Siena code, improvements in extension repository and documentation writing. Your input in this direction is highly appreciated.

Cotonti Developer Tools 1.3 2011-10-05

Did you know that a GUI tool for generating Cotonti extensions from templates and converting plugins from Genoa to Siena exists? Now you do. The program is available in English and Russian and has some powerful wizards which will automate some tasks for extension developers and experimenters.

System requirements: Microsoft Windows, Microsoft .NET Framework 4.

Download: from developer's site.