WebAuth 3.7.1

After additional security review of the new password change functionality in WebAuth 3.7.0, we've decided that we want to always reprompt the user for their current password on the same screen as the password change, even if they'd just authenticated. This version implements that, with a new configuration option that allows one to select the previous behavior of not reprompting for the password if one prefers. It also improves the error reporting in WebLogin on password change failures.

Also in this release are fixes for build failures on Red Hat, whose apxs doesn't provide all the required compiler flags to build Apache modules, and a fix to a long-standing bug in mod_webkdc. The WebKDC was documented to create single sign-on proxy cookies, by default, with the same expiration time as the underlying Kerberos credential, but the code forced the expiration time to a maximum of ten hours. The code now behaves as documented.

You can get the latest version from the official WebAuth distribution page or from my unofficial distribution page.

Posted: 2010-07-23 13:12 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04