Skip navigation



WebAuth 3.2.0 Announcement

The ITSS WebAuth team is pleased to announce Stanford WebAuth 3.2.0. This newest version of WebAuth adds S/Ident support to the weblogin server, adds a preliminary port to Windows Apache, and fixes some bugs in the WebAuth and LDAP modules.

For documentation and downloads of WebAuth 3.2.0, see:


In this release, we've also updated the pre-build version of Apache to Apache 2.0.47. Pre-built binaries are, as before, available only for Solaris 8 and 9 at this time.

The user-visible changes in this release are:

  • Added S/Ident support to weblogin and the WebKDC.

  • Added a preliminary port to Windows. See the download page and the Windows install documentation for more details. Information about building WebAuth on Windows can be found in windows/BUILD.txt in the source distribution.

  • Fixed a bug when handling sub-requests (like in mod_autoindex). This could have caused authentication information to be incorrect in pages generated by fancy indexing.

  • Removed WebAuthProxyHeaders directive. Added new documentation to mod_webauth.xml that recommends people use mod_headers instead. See "Using WebAuth with Proxy Servers" in that document.

  • Modified WebAuthDontCache so it also adds "Pragma: no-cache" and "Cache-Control: no-cache" headers in addition to the "Expires" header.

  • Modified WebAuthDoLogout so that it enables WebAuthDontCache automatically. (If the logout page was cached, second and subsequent visits wouldn't remove the login cookie correctly.)

  • When returning redirects, make sure to set r->header_only so there is no extra content generated by Apache. Also set the same Expires, Pragma, and Cache-Control headers that WebAuthDontCache sets. This will hopefully work around the bugs that occur when caching redirects in some browsers.

  • Increased robustness of the privgroup handling in mod_webauthldap when the LDAP query returns multiple entries. Errors when looking for attributes in one entry no longer prevent checking for attributes in additional entries.

  • The weblogin test cookie is now a session cookie like the WebAuth cookie, so we test what we use, and so it works correctly with browsers that disable non-session cookies.

  • Build portability fix for Tru64 and other platforms whose sed cannot handle multiline patterns.

  • Removed extra logging from mod_webauth/webkdc.c, and moved other extraneous logging so it's only logged at a level of APLOG_DEBUG when WebAuthDebug is turned on.

Last modified Friday, 12-Dec-2014 02:31:13 PM

Stanford University Home Page