Content Toolkit

Ghost Release: 5.3.1

Tag Name: v5.3.1

Release Date: 7/13/2022

Open-source publishing platform specifically designed for professional bloggers and publications. Focuses on clean, minimalist writing and publishing experience.

Open Source Blogging Static Site

TL;DR

Ghost v5.3.1: Cookie Authentication Fix for Non-SSL Environments

This patch release addresses a critical authentication issue where cookies were not working properly in environments without SSL. The update ensures that Ghost can function correctly in local development and production sites that don't use HTTPS, restoring proper session management and login capabilities.

Highlight of the Release

Fixed authentication cookies to work properly in non-SSL environments
Resolved session creation issues in local development setups
Ensured compatibility with production sites that don't use HTTPS

Migration Guide

No migration steps are required for this update. Simply upgrade to v5.3.1 to resolve the cookie authentication issues in non-SSL environments.

The fix is applied automatically and requires no configuration changes.

Upgrade Recommendations

This update is highly recommended for all Ghost installations, especially for:

Development environments used for local testing
Production sites running without SSL/HTTPS

The authentication cookie issue can prevent proper login and session management, so upgrading to v5.3.1 will restore normal functionality for affected environments.

Bug Fixes

Cookie Authentication Fix

Fixed an issue with authentication cookies when running Ghost without SSL. In a previous update, cookies were set with SameSite=None, which requires an SSL connection to function properly. This caused authentication failures in:

Local development environments
Production sites not using HTTPS

The fix ensures that authentication cookies work correctly regardless of whether the site uses SSL or not, allowing proper session creation with the browser.

New Features

No new features were introduced in this patch release. This update focuses exclusively on fixing the authentication cookie issue in non-SSL environments.

Security Updates

No explicit security fixes were mentioned in this release. The cookie authentication fix was primarily to restore functionality rather than address a security vulnerability.

Performance Improvements

No specific performance improvements were included in this patch release. The focus was on fixing the authentication cookie issue for non-SSL environments.

Impact Summary

This patch release resolves a significant usability issue that affected Ghost installations running without SSL. The previous cookie configuration with SameSite=None required SSL to function properly, which broke authentication in non-SSL environments.

The impact of this fix is particularly important for:

Developers working in local environments who were unable to maintain authentication sessions
Site administrators running production instances without HTTPS who experienced authentication failures
New Ghost installations in development environments where initial login was problematic

By addressing this issue, Ghost v5.3.1 ensures consistent authentication behavior across all deployment scenarios, whether using SSL or not.

Full Release Notes

🐛 Fixed cookies when running Ghost without SSL - Fabien 'egg' O'Carroll

View the changelogs for full details:

Ghost - v5.3.0...v5.3.1
Admin - TryGhost/Admin@v5.3.0...v5.3.1

🪄 Love open source? We're hiring Node.js Engineers to work on Ghost full-time

Statistics:

File Changed3

Line Additions3

Line Deletions3

Line Changes6

Total Commits3

User Affected:

Can now properly authenticate in local development environments without SSL
No longer need workarounds for cookie authentication issues when testing