Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

WebAuth 4.5.5 released

Russ Allbery eagle at
Thu Aug 29 15:13:59 PDT 2013

The ITS WebAuth team is pleased to announce Stanford WebAuth 4.5.5.  This
is a bug-fix release for the WebLogin and WebKDC components of WebAuth,
particularly for multifactor authentications.  There is no need for
WebAuth Application Servers to upgrade to this release.

For documentation and downloads of WebAuth 4.5.5, see:


The user-visible changes in this release are:

    Fix replay detection in WebLogin to use the same memcached object
    naming convention when registering authentications and when checking
    for a previous authentication.

    If the login is rejected by the user information service, WebLogin now
    displays a more specific error instead of the generic "something went
    wrong" error page.

    If a multifactor authentication is rejected by the validation service,
    the user is now returned to the multifactor authentication screen and
    the error message is provided to the template, rather than taking the
    user to a dead-end error page with a generic error.

    If enabled, rate limiting and replay detection are also applied to the
    multifactor login page in addition to the password login page.

    Support remembering that the user has been sent an SMS message already
    when redisplaying the multifactor login page after an error.  For this
    to work properly, local templates will have to be updated to set the
    form parameter multifactor_sentauth if an SMS message has already been
    sent.  See the sample multifactor.tmpl file for an example.

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-announce mailing list