diff --git a/CHANGES b/CHANGES
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,23 @@
+Version 0.15.1.0 released 10 Dec 2021
+
+  * Set the portable flag on sendfile to avoid an error
+    on Windows builds (#651).
+
+  * Fix Windows stack build (mintty issue).
+
+  * Update dependencies to use latest released pandoc.
+
+  * Update CI and add a Windows build.
+
+  * Use `mkSessionCookie` to fix a regression introduced in
+    0.15.0.0 which made user sessions unreadable, breaking
+    user authentication (#674).
+
+  * Network.Gitit.Framework: export `mkSessionCookie` [API change].
+
+  * Fix build for pandoc <= 2.12.0 (#676, Stephen Paul Weber).
+
+
 Version 0.15.0.0 released 12 Aug 2021
 
   * Remove the Export feature entirely.
diff --git a/gitit.cabal b/gitit.cabal
--- a/gitit.cabal
+++ b/gitit.cabal
@@ -1,6 +1,6 @@
 cabal-version:       2.0
 name:                gitit
-version:             0.15.0.0
+version:             0.15.1.0
 build-type:          Simple
 synopsis:            Wiki using happstack, git or darcs, and pandoc.
 description:         Gitit is a wiki backed by a git, darcs, or mercurial
@@ -133,9 +133,9 @@
                      mtl,
                      old-time,
                      temporary,
-                     pandoc >= 2.9 && < 2.15,
+                     pandoc >= 2.9 && < 2.17,
                      pandoc-types >= 1.20 && < 1.23,
-                     skylighting >= 0.8.2.3 && < 0.12,
+                     skylighting >= 0.8.2.3 && < 0.13,
                      bytestring,
                      text,
                      random,
@@ -166,7 +166,7 @@
                      xml-conduit >= 1.5 && < 1.10,
                      http-conduit >= 2.1.6 && < 2.4,
                      http-client-tls >= 0.2.2 && < 0.4,
-                     aeson >= 0.7 && < 1.6,
+                     aeson >= 0.7 && < 2.1,
                      uuid >= 1.3 && < 1.4,
                      network-uri >= 2.6,
                      network >= 2.6 && < 3.2,
diff --git a/src/Network/Gitit/Authentication.hs b/src/Network/Gitit/Authentication.hs
--- a/src/Network/Gitit/Authentication.hs
+++ b/src/Network/Gitit/Authentication.hs
@@ -395,7 +395,7 @@
   if allowed
     then do
       key <- newSession (sessionData uname)
-      addCookie (MaxAge $ sessionTimeout cfg) (mkCookie "sid" (show key))
+      addCookie (MaxAge $ sessionTimeout cfg) (mkSessionCookie key)
       seeOther (encUrl destination) $ toResponse $ p << ("Welcome, " ++
         renderHtmlFragment (stringToHtml uname))
     else
@@ -478,7 +478,7 @@
                      addUser (uUsername user) user
                      key <- newSession (sessionData userEmail)
                      cfg <- getConfig
-                     addCookie (MaxAge $ sessionTimeout cfg) (mkCookie "sid" (show key))
+                     addCookie (MaxAge $ sessionTimeout cfg) (mkSessionCookie key)
                      seeOther (encUrl destination) $ toResponse ()
           Left err -> do
               liftIO $ logM "gitit" WARNING $ "Login Failed: " ++ ghUserMessage err ++ maybe "" (". Github response" ++) (ghDetails err)
@@ -543,7 +543,7 @@
        user <- liftIO $ mkUser (fromMaybe userId email) (fromMaybe "" email) "none"
        updateGititState $ \s -> s { users = M.insert userId user (users s) }
        key <- newSession (sessionData userId)
-       addCookie (MaxAge $ sessionTimeout cfg) (mkCookie "sid" (show key))
+       addCookie (MaxAge $ sessionTimeout cfg) (mkSessionCookie key)
        see $ fromJust $ rDestination params
       where
         prop pname info = lookup pname $ R.userData info
diff --git a/src/Network/Gitit/Authentication/Github.hs b/src/Network/Gitit/Authentication/Github.hs
--- a/src/Network/Gitit/Authentication/Github.hs
+++ b/src/Network/Gitit/Authentication/Github.hs
@@ -36,7 +36,7 @@
   let destination = pDestination params `orIfNull` (base' ++ "/")
   key <- newSession $ sessionDataGithubStateUrl state destination
   cfg <- getConfig
-  addCookie (MaxAge $ sessionTimeout cfg) (mkCookie "sid" (show key))
+  addCookie (MaxAge $ sessionTimeout cfg) (mkSessionCookie key)
   let usingOrg = isJust $ org $ githubAuth cfg
   let scopes = "user:email" ++ if usingOrg then ",read:org" else ""
   let url = appendQueryParams [("state", BS.pack state), ("scope", BS.pack scopes)] $ authorizationUrl githubKey
diff --git a/src/Network/Gitit/Framework.hs b/src/Network/Gitit/Framework.hs
--- a/src/Network/Gitit/Framework.hs
+++ b/src/Network/Gitit/Framework.hs
@@ -53,6 +53,7 @@
                                , getMimeTypeForExtension
                                , validate
                                , filestoreFromConfig
+                               , mkSessionCookie
                                )
 where
 import Safe
@@ -81,6 +82,7 @@
 authenticate :: AuthenticationLevel -> Handler -> Handler
 authenticate = authenticateUserThat (const True)
 
+
 -- | Like 'authenticate', but with a predicate that the user must satisfy.
 authenticateUserThat :: (User -> Bool) -> AuthenticationLevel -> Handler -> Handler
 authenticateUserThat predicate level handler = do
@@ -100,13 +102,17 @@
 -- | Run the handler after setting @REMOTE_USER@ with the user from
 -- the session.
 withUserFromSession :: Handler -> Handler
-withUserFromSession handler = withData $ \(sk :: Maybe SessionKey) -> do
-  mbSd <- maybe (return Nothing) getSession sk
+withUserFromSession handler = withData $ \(mbsk :: Maybe SessionKey) -> do
+  mbSd <- maybe (return Nothing) getSession mbsk
   cfg <- getConfig
   mbUser <- case mbSd of
             Nothing    -> return Nothing
             Just sd    -> do
-              addCookie (MaxAge $ sessionTimeout cfg) (mkCookie "sid" (show $ fromJust sk))  -- refresh timeout
+              case mbsk of
+                Nothing -> return ()
+                Just sk ->
+                  addCookie (MaxAge $ sessionTimeout cfg) -- refresh timeout
+                            (mkSessionCookie sk)
               case sessionUser sd of
                 Nothing -> return Nothing
                 Just user -> getUser user
@@ -356,3 +362,7 @@
          Git       -> gitFileStore       $ repositoryPath conf
          Darcs     -> darcsFileStore     $ repositoryPath conf
          Mercurial -> mercurialFileStore $ repositoryPath conf
+
+-- Create a cookie with the session key.
+mkSessionCookie :: SessionKey -> Cookie
+mkSessionCookie (SessionKey key) = mkCookie "sid" (show key)
diff --git a/src/Network/Gitit/Util.hs b/src/Network/Gitit/Util.hs
--- a/src/Network/Gitit/Util.hs
+++ b/src/Network/Gitit/Util.hs
@@ -42,6 +42,10 @@
 import Text.Pandoc (Extension(..), Extensions, getDefaultExtensions, enableExtension)
 import Network.URL (encString)
 
+#if !MIN_VERSION_pandoc(2,12,0)
+import qualified Data.Text as T
+#endif
+
 -- | Read file as UTF-8 string.  Encode filename as UTF-8.
 readFileUTF8 :: FilePath -> IO Text
 #if MIN_VERSION_pandoc(2,12,0)
