Merge pull request #195 from stanleysmall-microsoft/main

Release Notes and Breaking Change Documentation

Author: stanleysmall-microsoft

docs/release_notes.md

@@ -6,6 +6,9 @@ Below is a summary of the the main features/bug fixes in the most recent release
 
 ## Session State Provider Release Notes
 
+### v5.0.0
+This release provides an update for the RedisSessionStateProvider nuget package. As a BREAKING CHANGE, the underlying serialization method has changed. SessionStateItemCollection objects are now treated as an atomic unit. The ability to add custom serialization has been removed. These changes were made for necessary security improvements.
+
 **Note:** v4.0+ requires .NET Framework 4.6.2 or higher. v3.0+ requires .NET Framework 4.5.2 or higher. If you are using .net 4.0, 4.5.0 or 4.5.1, then please use an older version of Session State Provider (i.e. 2.x).
 
 ### v4.0.1
@@ -81,6 +84,9 @@ Updated `StackExchange.Redis.StrongName` to version 1.0.481 from 1.0.394. Due to
 
 ## Output Cache Provider Release Notes
 
+### v4.0.0
+This release provides an update for the RedisSessionStateProvider nuget package. As a BREAKING CHANGE, the underlying serialization method has changed. The ability to add custom serialization has been removed. These changes were made for necessary security improvements.
+
 **Note:** v4.0+ requires .NET Framework 4.6.2 or higher. v3.0+ requires .NET Framework 4.5.2 or higher. If you are using .net 4.0, 4.5.0 or 4.5.1, then please use an older version of Session State Provider (i.e. 2.x).
 
 ### v3.0.1

docs/v5.0.0 Breaking Change.md

@@ -0,0 +1,12 @@
+# v5.0.0 Breaking Change
+This release provides an update for the RedisSessionStateProvider nuget package. As a BREAKING CHANGE, the underlying serialization method has changed. SessionStateItemCollection objects are now treated as an atomic unit. The ability to add custom serialization has been removed. These changes were made for necessary security improvements.
+
+The BinaryFormatter type is insecure and can't be made secure [1]. The previous ASP.NET Session State Provider implementation for Redis relied on BinaryFormatter to serialize session state objects. No drop-in replacement exists for BinaryFormatter which does not require defining a contract for the serialized objects [2]. However, the SessionStateItemCollection type offers a serialization method based on BinaryWriter [3].  BinaryWriter serializes primitive types instead of generic objects [4].  
+
+[1] https://docs.microsoft.com/dotnet/standard/serialization/binaryformatter-security-guide 
+
+[2] https://stackoverflow.com/questions/12461321/what-does-system-serializableattribute-do 
+
+[3] https://docs.microsoft.com/dotnet/api/system.web.sessionstate.sessionstateitemcollection.serialize 
+
+[4] https://docs.microsoft.com/dotnet/api/system.io.binarywriter