After the release of 3.9.0, a regression and an unexpected side-effect of a bug fix were noticed.
Firstly, you could not clear the user’s password when using
Uri::withUserInfo(''), so this is fixed in #2332.
Secondly, we discovered that
return $response->withHeader('Location', '/login'); no longer redirected in a browser. This isn’t a surprise as the
302 status code isn’t explicitly set developers were relying on a feature of PHP’s
header() function that set
302 for them. This side-effect was causing other issues such as #1730, so it was fixed in 3.9.0. To mitigate the effect of this change, 3.9.1 includes #2345 which sets the status code to
302 when you add a
Location header if the status code is currently 200. This change will not be forward-ported to 4.x though.
The full list of changes is here
Update: Shortly after the release of 3.9.1, it was discovered that #2342 should not have been merged as it breaks BC, so this PR was reverted in 3.9.2.