WebAuth 3.6.1

Since the first release of WebAuth version 3, we've forced a click-through confirmation page whenever a user first visits a site that requires authentication. This was partly for consistency with the login behavior, where a confirmation page was required for versions of HTTP prior to 1.1, but I think it's a useful security feature to have transitions between unauthenticated and authenticated space flagged.

Unfortunately from my perspective, others do not agree. It also does make things hard for portal sites that want to display lots of other sites in <iframe> or an equivalent. The word has therefore come down to get rid of that confirmation page.

Suppression in some circumstances was already supported due to work contributed by MIT, but this release also suppresses the confirmation page after the login form entry if the browser supports it and supports displaying the confirmation page only if tickets are potentially delegated to the remote site. We'll keep using the latter, since we want users to know when that happens. There are also some other accumulated fixes, mostly affecting the WebLogin server.

As of this release, WebAuth is also maintained in Git.

I was hoping to do a general coding style cleanup and bring WebAuth in line with my other packages with this release, but I ran out of time to meet work deadlines. This is therefore only a partial modernization of the build system and coding style. The build has switched to Automake, but it isn't yet using rra-c-util or C TAP Harness. I hope to do another release fairly quickly with those additional improvements and more cleanup.

With this release, I finally got around to giving WebAuth a presence on my web pages with my standard software page and HTML versions of the documentation. The primary WebAuth site is still webauth.stanford.edu, which I also maintain, but having this page on my own web pages appeals to my sense of symmetry. It also has a few links and bits of information that aren't (yet) on the main site.

You can download the release from either my page or the official site.

Posted: 2009-07-14 20:17 — Why no comments?

Last spun 2022-12-12 from thread modified 2022-07-23