Log Message:
Updated to version 3.2.1

Security fixes

    The signed-value format used by RequestHandler.set_secure_cookie and
    RequestHandler.get_secure_cookie has changed to be more secure. This is a
    disruptive change. The secure_cookie functions take new version parameters
    to support transitions between cookie formats.
    The new cookie format fixes a vulnerability that may be present in
    applications that use multiple cookies where the name of one cookie is a
    prefix of the name of another.
    To minimize disruption, cookies in the older format will be accepted by
    default until they expire. Applications that may be vulnerable can reject
    all cookies in the older format by passing min_version=2 to
    RequestHandler.get_secure_cookie.
    Thanks to Joost Pol of Certified Secure for reporting this issue.

Backwards-compatibility notes

    Signed cookies issued by RequestHandler.set_secure_cookie in Tornado 3.2.1
    cannot be read by older releases. If you need to run 3.2.1 in parallel with
    older releases, you can pass version=1 to RequestHandler.set_secure_cookie
    to issue cookies that are backwards-compatible (but have a known weakness,
    so this option should only be used for a transitional period).

Other changes

    The C extension used to speed up the websocket module now compiles
    correctly on Windows with MSVC and 64-bit mode. The fallback to the
    pure-Python alternative now works correctly on Mac OS X machines with no C
    compiler installed.