devtools-request: transmit the headers keyword argument to the request class Otherwise the headers kwargs end up in the form. This is very useful for testing publish logic related to http header (as cache).

[security] use a stronger encryption algorythm for password, keeping bw compat Administrator should ask their users to reenter new password so they benefit from the new encryption. Also, new encryption is cross-platform compatible, eg you may now move an instance from windows to linux painlessly

[cache] factorize _validate_cache() logic implemented in wsgi and twisted handlers

[fake-request] support `http_method()`

[Web-Request] Use rich header (closes #2204164) Unify header management. All web request use the Headers class now (imported from twisted). Code dedicated to header management have been merged into the base WebRequest class.

http-header: support __contains__ in Headers You can now use:: >>> 'expires" in headers True

[web] Move request handling logic into cubicweb application. (closes #2200684) We improve http status handling in the process: ``application.publish`` have been renamed to ``application.handle`` to better reflect it's roles. The request object gain a status_out attribute to convey the HTTP status of the response. WSGI and etwist code have been updated. Exception gain status attribute

[login] split authentication logic from post authentication logic (closes #2200755) * The Session manager is now only in charge of providing a valid session. * LoginControllers are now used in all case but wrong credential. * The LoginControllers are in charge of redirecting the user to the page wanted to see in the first place, expected to see. * The login form is now always submitted to the login controller with an extra argument pointing to the url we should redirect too after successful authentication. The ``"log out first logic"`` logic on login controller is removed because: 1. Other web actor do not do that. 2. Removed code do not need to be reimplemented. 3. We can only get it to work again in a single case: use do a GET request on http://www.my-cw-stuff.io/login 4. I do not see it's purpose.