webauth-weblogin (4.5.0-1) experimental; urgency=low Creating single sign-on cookies is no longer the default in the WebLogin code; instead, it is controlled by a form parameter on the login form. Sites wanting to maintain the previous behavior should either add a checkbox (checked by default) to their login form similar to: with appropriate associated wording and add remember_login as an additional hidden form variable to all of the forms in the multifactor, confirm, and pwchange templates. See the sample templates in /usr/share/weblogin/generic/templates for examples, which includes a more complex example for the login page that preserves the checkbox after a failed authentication. Or, to not change the UI and keep the previous behavior, add: $REMEMBER_FALLBACK = 'yes'; to /etc/webkdc/webkdc.conf. This setting controls the default if no remember_login value is sent by the login HTML form. -- Russ Allbery Fri, 26 Apr 2013 13:31:11 -0700 webauth-weblogin (3.7.0-1) unstable; urgency=low The default help.html page is in /usr/share/weblogin/generic/templates instead of /usr/share/weblogin/generic. If you reference it in your Apache configuration, you will need to change the path. -- Russ Allbery Wed, 07 Jul 2010 14:44:56 -0700 webauth-weblogin (3.6.2-1) unstable; urgency=high Versions of the webauth-weblogin package between 3.5.5 and 3.6.1, inclusive, could in rare cases convert the user login to a GET and expose the user's password in the URL, from which it would enter the user's browser history and possibly be sent to remote web sites via referrer. /usr/share/doc/webauth-weblogin/weblogin-passcheck is a script that searches WebLogin web server logs and identifies users that may be affected by this problem. Run it with -h for usage information. -- Russ Allbery Tue, 08 Sep 2009 12:35:53 -0700 webauth-weblogin (3.6.0-1) unstable; urgency=low The login.tmpl WebLogin template has a new error variable, err_rejected, which will be set if the user login was rejected due to a WebKdcPermittedRealms setting. -- Russ Allbery Fri, 21 Mar 2008 22:05:56 -0700 webauth-weblogin (3.5.5-1) unstable; urgency=low WebLogin now checks for cookies as the first action when a browser goes to WebLogin for the initial time and uses the error template rather than the login template to display errors about disabled cookies. The err_cookies template variable in the login template is no longer used, and the error template has a new err_cookies_disabled parameter. Custom templates should be updated to handle err_cookies_disabled in the error template, although the WebLogin scripts will work around the absence of that variable. -- Russ Allbery Tue, 08 Jan 2008 16:41:38 -0800 webauth-weblogin (3.5.2-1) unstable; urgency=medium Prior versions of the default weblogin templates had a cross-site scripting vulnerability that potentially allowed an attacker to trick users into submitting their username and password to the attacker's site. This vulnerability has been corrected in the sample templates as of this release, but any templates based on the sample templates should be checked for this vulnerability as well. In the templates, replace any instance of: with: where "variable" may be any variable name. -- Russ Allbery Thu, 13 Jul 2006 17:56:23 -0700 webauth (3.5.0-1) unstable; urgency=low The weblogin template variables have changed significantly with this release, both by renaming existing ones and by adding new ones. Please read /usr/share/doc/webauth-weblogin/weblogin-config.gz for detailed documentation for both the template variables and the webkdc.conf settings. -- Russ Allbery Wed, 15 Mar 2006 16:55:41 -0800