- 0.10.4

* missing expire_sessions() fixed in periodic tasks
* verify_session() method in auth checks cookie against db
* Refactor out _expire_session() in auth
* Refactor out _compute_caps() in auth

- 0.10.3

* More efficient session expiration in optional()
* Overhaul of periodic tasks
* Fewer //'s in auto-generated paths
* M4_TAPIR_PACKAGE_PATH is automatically set by Config (must run in tapir
directory)
* Redesign of save_post_variables improves reliability,  works in no-Javascript
case.
* Hash checking code allows variable # of fields in session cookie
* cleanup logic in optional() -- permanent login is now more reliable because
it's checked under more boundary cases;  in particular,  when the session is
expired.  We're currently NOT trying permanent login after detecting a
mangled (malformed or incorrectly signed) cookie.
* optional() return value matches documentation
* Better handling of no-cookie case/underscoring fix
* Now can log in with nickname, email or both
* more descriptive errors in assert_one_row()
* more statistics on management screen
* updated (internal) configuration management to work with subversion
* removed the last of the CVS directories
* tapir-install ignores .svn directories
* conf-orig fix in documentation
* Solaris install docs
* database scripts no longer require bash (Solaris compatibility)
* moved to subversion version control
* required() and optional() WILL NOT function if headers have been sent.  This may be a breaking change.
* _populate_user_info creates null aray if user isn't logged in -- call to
  $auth->require() removed
* removed superfluous semicolons from conf-orig
* paul is no longer the default bounce user
* fixed missing quote in conf-orig
* checked in email-to-select-confirm.php.m4 and -head file

- 0.10.2

* Fixed tapir_dest redirect for e-mail verification
* Fixed rw access for session create
* Fixed rw access for session expire
* Removed webalizer cruft from vhost config/put php configuration in
  correct location
* Eliminated "open" column from tapir_sessions:  not necessary,  open
  sessions have end_time=0.
* Eliminated header("Location: ") in favor of $tapir_auth->redirect().
* A lot of underscoring in Tapir_Auth to clarify API,  directions for future
  refactor.
* update to error.php message
* eliminated unnecessary UNLOCK on error
* added $tapir_auth global
* error handling and logging when running as a script 
* error logging to table tapir_error_log
* eliminated more tapir_connect_rw()'s from tapir-auth
* $auth->redirect() now tries to redirect with Javascript if headers
  are already sent.  This means error handling works correctly while
  HTML is being output.

- 0.10.1

* Database schema changes and register_globals changes broke email
  templates.  Fixed
* Efficient handling of rw connections in tapir-auth
* Shorted session reissue time on test server so problems with
  session reissue are more likely to be noticed.
* Fixed bug that prevented session reissue
* Database: lazy load
* Added goals and privacy docs
* Removed obsolete documentation

- 0.10.0

WARNING: 0.10.0 makes major changes to the database schema.  The
upgrade from 0.9.0 is a bit difficult, but lays the foundation
for better security and performance.  Future upgrades will be
easier.

* Can now use InnoDB tables
* Eliminated dependence on register_globals
* Now works with Apache 2
* Post variables saved across login
* Split password information into separate table
* Split non fixed-length columns out of tapir_sessions
* Moved configuration files to better isolate site-dependent files
* Renamed header and footer for less conflict with other applications
* Simplified database grants (tapir_ro is really ro)
* PHP activated in vhost conf files (so we can have PHP and non-PHP vhosts
  on the same server)
* We no longer use UNIX_TIMESTAMP() in MySQL,  so session handling is
  not affected by clock skew when the db is on a different machine than
  the web server