Skip navigation



WebAuth 3.6.1 Announcement

The ITS WebAuth team is pleased to announce Stanford WebAuth 3.6.1. This release focuses primarily on improvements to the WebLogin server, particularly in the confirmation page and support for bypassing that page in various circumstances. It also contains significant code restructuring and build system updates that will make further improvements easier.

As of this release, WebAuth is now maintained in Git. Russ Allbery hosts a gitweb interface to the repository and an anonymous Git server at

For documentation and downloads of WebAuth 3.6.1, see:


New Debian packages have been uploaded to Debian unstable. Updated Red Hat packages will be available shortly. We are no longer producing binary builds for Solaris.

The user-visible changes in this release are:

  • Setting $BYPASS_CONFIRM in the WebLogin configuration now also suppresses the confirmation page after username/password login provided that the browser supports HTTP/1.1 (and the web server tells the WebLogin script that in the form Apache does).

  • Setting $BYPASS_CONFIRM to the special value "id" in the WebLogin configuration suppresses the confirmation page only if the WebAuth Application Server requests an id token (in other words, only asks for the user's identity). If it instead requests a proxy token, which would allow it to later ask for delegated user credentials, the confirmation page is still displayed.

  • Add a new WebLogin configuration variable $TOKEN_ACL. If set to the path of the token.acl file used by the WebKDC, and if the WebAuth Application Server requests a proxy token, the list of credentials the WAS may request is provided to the confirmation page template for display to the user. See doc/weblogin-config for more information.

  • WebLogin now sets and updates its cookies after successful authentication even if the confirmation screen is bypassed. This primarily affects the update of the expiration time of the REMOTE_USER cookie.

  • Handle err_confirm in the error.tmpl sample template and document this in doc/weblogin-config. This error is returned when redisplaying the confirmation page after a change in the REMOTE_USER cookie.

  • Fix a coding error in login.fcgi when redisplaying the confirmation page fails. Thanks to pod for the report.

  • Fix an off-by-one error in error code to error string mapping in WebKDC::WebKDCException that resulted in incorrect error names in WebLogin error messages. Thanks to pod for the report.

  • The WebLogin scripts and templates are now installed by default under /usr/local/share/weblogin. This can be modified with the --prefix or --datadir options to configure.

  • There is no longer an install-tests target; instead, to install the test suite, copy the directories under tests/mod_webauth recursively. This will be replaced by a better test suite mechanism in a future version of WebAuth.

  • Update the mod_webauth documentation to reflect that separate WebAuth servers in the same load-balanced pool can use separate keytabs. Only the keyring needs to be shared between systems.

  • Improved the comments in the provided sample configuration files.

  • Update the INSTALL documentation for obtaining keytabs for Stanford users to reference wallet instead of leland_srvtab.

Last modified Friday, 12-Dec-2014 02:31:12 PM

Stanford University Home Page