WebAuth 3.5.4 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 3.5.4. This release fixes mod_webauthldap configuration parsing, adds various minor feature enhancements, and improves presentation of Shibboleth IdP authentication.
For documentation and downloads of WebAuth 3.5.4, see:
We have not yet updated the Red Hat and Solaris builds.
The user-visible changes in this release are:
Add a configuration option to WebLogin to attempt to decode return URLs pointing to a Shibboleth IdP and display on the confirmation page the final destination instead of the intermediate IdP.
For pages that the browser should reload each time (WebAuthDoLogout or WebAuthDontCache), also always set the content modification time to now. Otherwise, the browser may check the last modification time on the page and then serve its cached copy, ignoring any new Cookie headers from the server (such as cookie clearing from a logout page).
For WebAuthDoLogout, WebAuthDontCache, and all WebLogin pages, set Cache-Control: no-store as well as no-cache. no-store wasn't really intended for this purpose but preventing the browser from keeping a local copy is more likely to force the behavior we want. (This is probably not necessary given the above change, but shouldn't hurt.)
Properly merge configuration settings in mod_webauthldap. This will correct problems with WebAuthLdapAuthrule, WebAuthLdapFilter, and WebAuthLdapPort configuration options not being honored inside virtual hosts. Thanks to Wadud Miah for the bug report.
Refresh the REMOTE_USER configuration cookie on each WebLogin page visit so that it won't expire if the user is using WebLogin regularly.
Document the cookies used by the WebLogin service.
Read ticket defaults from krb5.conf properly when built with Heimdal.
Fix configure logic and Kerberos library analysis on systems with multiple versions of Kerberos installed.