WebAuth 4.5.1 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 4.5.1. This is a bug-fix release for the WebLogin component of WebAuth. All users of WebLogin should prefer this release to the 4.5.0 release, which had some serious bugs that interfered with single sign-on support.
For those upgrading from versions earlier than 4.5.0 who wish to use the
new remember_login support, please note that, in addition to updating the
login template (see the 4.5.0 release notes),
you will need to add
remember_login as a hidden form variable to
the forms in the confirm, multifactor, and pwchange templates. See the
sample templates that come with WebAuth for examples.
For documentation and downloads of WebAuth 4.5.1, see:
New Debian packages built against Apache 2.4 have been uploaded to Debian experimental.
The user-visible changes in this release are:
Fix bugs in the remember_login feature introduced in WebAuth 4.5.0 that would cause WebLogin to discard all single sign-on cookies in the default configuration and many other common situations. WebLogin should now reliably respect the value sent by the form, and should retain single sign-on and persistent factor cookies in situations where there is no opportunity for local templates to send a default setting.
Sites that wish to add the new UI element to the login page that allows the user to control whether single sign-on cookies are created will need to preserve the remember_login setting as a hidden form variable in any local confirm, multifactor, and pwchange templates. See the sample templates for examples.
The remember_login setting is now preserved through a forced password change due to an expired password. This, as with all the remember_login changes, requires updates to any local templates.
WebLogin now passes any user information message returned by the user information service to the confirm template as well as the multifactor authentication template. This allows the <userinfo> element in the user information service reply to be used to pass arbitrary information to the end user through the WebKDC and WebLogin components.
Avoid re-creating WebAuth cookies other than single sign-on cookies during WebLogin cookie processing, which fixes some corner-case bugs when the WebLogin server and WAS are on the same host.
Fix a few minor bugs in the installable mod_webauth test suite.