Apostrophe CMS Main Site Forum Home

Apostrophe 2.88.0: options to reduce use of sessions, fixes and more

  • An optional improvement to eliminate the use of session storage for most site visitors. By default, Apostrophe creates a session for every site visitor, even an anonymous visitor, to provide full CSRF protection. You may now optionally disable this for anonymous visitors:
modules: {
  'apostrophe-express': {
    csrf: {
      disableAnonSession: true

When you do this, anonymous visitors receive only basic CSRF protection based on a known header value and the fact that the Same Origin Policy does not allow requests to be made by JavaScript unless the page is on the proper site.

For performance reasons the largest sites will likely find this to be a valuable option.

  • apos.global.findGlobal now officially supports returning a promise. This was an unofficial side effect in earlier releases that ceased to work in recent releases.

  • Updated the version of moment that ships on the front end to the latest minor release.

  • Eliminated unnecessary arrangeFields warnings. apostrophe-groups is set up properly, the trash field no longer generates warnings when workflow is active, and reverse joins no longer generate warnings as they have no editing UI.

  • null values were able to crash the schema converters for strings, integers and floats when those fields were required. This has been fixed.

Thanks to Michelin for making much of this work possible through Apostrophe Enterprise Support.