WebAuth 4.5.5

Testing uncovered additional bugs in the WebLogin and mod_webkdc components of WebAuth (our site-wide web authentication system), so this is another bug-fix release. It only affects the central login server; the application module hasn't changed and doesn't need to be updated.

The biggest changes are around multifactor authentication, and particularly around error reporting and handling. The handling of errors such as invalid codes or rejections by the validation service was somewhat broken in 4.5.3 and earlier and even more broken in 4.5.4 (although in different ways). This release now avoids sending the user to dead-end error pages in more circumstances, displays better and more specific errors, and remembers if the user has already been sent an SMS message and doesn't force them to send another if they enter the code incorrectly. (This last change will require changes to the local multifactor template.)

This release also fixes replay detection, which had been broken by a partially-made change in the memcached key format, and applies rate limiting and replay detection to second factor logins as well as passwords. As a side effect, this corrects a UI issue where people can send themselves additional SMS messages by accident when using the back button on the browser.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.