WebAuth 4.5.5 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 4.5.5. This is a bug-fix release for the WebLogin and WebKDC components of WebAuth, particularly for multifactor authentications. There is no need for WebAuth Application Servers to upgrade to this release.
For documentation and downloads of WebAuth 4.5.5, see:
The user-visible changes in this release are:
Fix replay detection in WebLogin to use the same memcached object naming convention when registering authentications and when checking for a previous authentication.
If the login is rejected by the user information service, WebLogin now displays a more specific error instead of the generic "something went wrong" error page.
If a multifactor authentication is rejected by the validation service, the user is now returned to the multifactor authentication screen and the error message is provided to the template, rather than taking the user to a dead-end error page with a generic error.
If enabled, rate limiting and replay detection are also applied to the multifactor login page in addition to the password login page.
Support remembering that the user has been sent an SMS message already when redisplaying the multifactor login page after an error. For this to work properly, local templates will have to be updated to set the form parameter multifactor_sentauth if an SMS message has already been sent. See the sample multifactor.tmpl file for an example.