2019-02-11 08:26:11 +01:00
|
|
|
Version 0.14.1
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Bug fixes:
|
|
|
|
|
|
|
|
* Fix environment variables in MellonCond
|
|
|
|
* Fix detection of AJAX requests
|
|
|
|
* Fix trailing semi-colon in Set-Cookie header
|
|
|
|
|
2018-03-16 07:49:46 +01:00
|
|
|
Version 0.14.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Backwards incompatible changes:
|
|
|
|
|
|
|
|
This version switches the default signature algorithm used when
|
|
|
|
signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
|
|
|
|
allow messages to be signed with that algorithm, you need to add a
|
|
|
|
setting switching back to the old algorithm:
|
|
|
|
|
|
|
|
MellonSignatureMethod rsa-sha1
|
|
|
|
|
|
|
|
Note that this only affects messages sent from mod_auth_mellon to your
|
|
|
|
IdP. It does not affect authentication responses or other messages
|
|
|
|
sent from your IdP to mod_auth_mellon.
|
|
|
|
|
|
|
|
New features:
|
|
|
|
|
|
|
|
* Many improvements in what is logged during various errors.
|
|
|
|
|
|
|
|
* Diagnostics logging, which creates a detailed log during request
|
|
|
|
processing.
|
|
|
|
|
|
|
|
* Add support for selecting which signature algorithm is used when
|
|
|
|
signing messages, and switch to rsa-sha256 by default.
|
|
|
|
|
|
|
|
Bug fixes:
|
|
|
|
|
|
|
|
* Fix segmentation fault in POST replay functionality on empty value.
|
|
|
|
|
|
|
|
* Fix incorrect error check for many `lasso_*`-functions.
|
|
|
|
|
|
|
|
* Fix case sensitive match on MellonUser attribute name.
|
|
|
|
|
|
|
|
|
2017-03-10 14:42:01 +01:00
|
|
|
Version 0.13.1
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
2017-03-13 09:55:48 +01:00
|
|
|
Security fix:
|
|
|
|
|
|
|
|
Fix a cross-site session transfer vulnerability. mod_auth_mellon
|
|
|
|
version 0.13.0 and older failed to validate that the session specified
|
|
|
|
in the user's session cookie was created for the web site the user
|
|
|
|
actually accesses.
|
|
|
|
|
|
|
|
If two different web sites are hosted on the same web server, and both
|
|
|
|
web sites use mod_auth_mellon for authentication, this vulnerability
|
|
|
|
makes it possible for an attacker with access to one of the web sites
|
|
|
|
to copy their session cookie to the other web site, and then use the
|
|
|
|
same session to get access to the other web site.
|
|
|
|
|
|
|
|
Thanks to François Kooman for reporting this vulnerability.
|
|
|
|
|
|
|
|
This vulnerability has been assigned CVE-2017-6807.
|
|
|
|
|
|
|
|
Note: The fix for this vunlerability makes mod_auth_mellon validate
|
|
|
|
that the cookie parameters used when creating the session match the
|
|
|
|
cookie parameters that should be used when accessing the current
|
|
|
|
page. If you currently use mod_auth_mellon across multiple subdomains,
|
|
|
|
you must make sure that you set the `MellonCookie`-option to the same
|
|
|
|
value on all domains.
|
|
|
|
|
2017-03-10 14:42:01 +01:00
|
|
|
Bug fixes:
|
|
|
|
|
|
|
|
* Fix segmentation fault if a (trusted) identity provider returns a
|
|
|
|
SAML 2.0 attribute without a Name.
|
|
|
|
|
2017-03-13 10:12:10 +01:00
|
|
|
* Fix segmentation fault if MellonPostReplay is enabled but
|
|
|
|
MellonPostDirectory is not set.
|
2017-03-10 14:42:01 +01:00
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2017-02-08 16:32:21 +01:00
|
|
|
Version 0.13.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Security fix:
|
|
|
|
|
|
|
|
Fix a denial of service attack in the logout handler, which allows a
|
|
|
|
remote attacker to crash the Apache worker process with a segmentation
|
|
|
|
fault. This is caused by a null-pointer dereference when processing a
|
|
|
|
malformed logout message.
|
|
|
|
|
|
|
|
New features:
|
|
|
|
|
|
|
|
* Allow MellonSecureCookie to be configured to enable just one of the
|
|
|
|
"httponly" of "secure" flags, instead of always enabling both flags.
|
|
|
|
|
|
|
|
* Support per-module log level with Apache 2.4.
|
|
|
|
|
|
|
|
* Allow disabling the Cache-Control HTTP response header.
|
|
|
|
|
|
|
|
* Add support for SameSite cookie parameter.
|
|
|
|
|
|
|
|
Bug fixes:
|
|
|
|
|
|
|
|
* Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
|
|
|
|
respond to the probe request.
|
|
|
|
|
2017-02-22 07:29:20 +01:00
|
|
|
* Fix mod_auth_mellon interfering with other Apache authentication
|
|
|
|
modules even when it is disabled for a path.
|
2017-02-08 16:32:21 +01:00
|
|
|
|
|
|
|
* Fix wrong HTTP status code being returned in some cases during user
|
|
|
|
permission checks.
|
|
|
|
|
|
|
|
* Fix default POST size limit to actually be 1 MB.
|
|
|
|
|
|
|
|
* Fix error if authentication response is missing the optional
|
|
|
|
Conditions-element.
|
|
|
|
|
|
|
|
* Fix AJAX requests being redirected to the IdP.
|
|
|
|
|
|
|
|
* Fix wrong content type for ECP authentication request responses.
|
|
|
|
|
|
|
|
In addition there are various fixes for errors in the documentation,
|
|
|
|
as well as internal code changes that do not have any user visible
|
|
|
|
effects.
|
|
|
|
|
|
|
|
|
2016-03-08 15:51:51 +01:00
|
|
|
Version 0.12.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Security fixes:
|
|
|
|
|
|
|
|
* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
|
|
|
|
incorrect error handling when reading POST data from client.
|
|
|
|
|
|
|
|
* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
|
|
|
|
resource exhaustion) due to missing size checks when reading
|
|
|
|
POST data.
|
|
|
|
|
|
|
|
In addition this release contains the following new features and fixes:
|
|
|
|
|
2016-03-09 10:45:28 +01:00
|
|
|
* Add MellonRedirectDomains option to limit the sites that
|
2016-03-08 15:51:51 +01:00
|
|
|
mod_auth_mellon can redirect to. This option is enabled by default.
|
|
|
|
|
|
|
|
* Add support for ECP service options in PAOS requests.
|
|
|
|
|
|
|
|
* Fix AssertionConsumerService lookup for PAOS requests.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2016-03-08 16:05:58 +01:00
|
|
|
Version 0.11.1
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Security fixes:
|
|
|
|
|
|
|
|
* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
|
|
|
|
incorrect error handling when reading POST data from client.
|
|
|
|
|
|
|
|
* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
|
|
|
|
resource exhaustion) due to missing size checks when reading
|
|
|
|
POST data.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2015-09-03 14:47:16 +02:00
|
|
|
Version 0.11.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
2015-09-16 16:01:42 +02:00
|
|
|
* Add SAML 2.0 ECP support.
|
|
|
|
|
2015-09-03 14:47:16 +02:00
|
|
|
* The MellonDecode option has been disabled. It was used to decode
|
|
|
|
attributes in a Feide-specific encoding that is no longer used.
|
|
|
|
|
|
|
|
* Set max-age=0 in Cache-Control header, to ensure that all browsers
|
|
|
|
verifies the data on each request.
|
2015-04-15 10:59:16 +02:00
|
|
|
|
2015-04-16 13:42:47 +02:00
|
|
|
* MellonMergeEnvVars On now accepts second optional parameter, the
|
|
|
|
separator to be used instead of the default ';'.
|
|
|
|
|
2015-04-16 11:00:50 +02:00
|
|
|
* Add option MellonEnvVarsSetCount to specify if the number of values
|
|
|
|
for any attribute should also be stored in environment variable
|
|
|
|
suffixed _N.
|
2015-04-15 10:59:16 +02:00
|
|
|
|
|
|
|
* Add option MellonEnvVarsIndexStart to specify if environment variables
|
|
|
|
for multi-valued attributes should start indexing with 0 (default) or
|
|
|
|
with 1.
|
|
|
|
|
2015-09-03 14:47:16 +02:00
|
|
|
* Bugfixes:
|
|
|
|
|
|
|
|
* Fix error about missing authentication with DirectoryIndex in
|
|
|
|
Apache 2.4.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2014-12-18 10:59:58 +01:00
|
|
|
Version 0.10.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Make sure that we fail in the unlikely case where OpenSSL is not able
|
|
|
|
to provide us with a secure session id.
|
|
|
|
|
|
|
|
* Increase the number of key-value pairs in the session to 2048.
|
|
|
|
|
|
|
|
* Add MellonMergeEnvVars-option to store multi-valued attributes in
|
|
|
|
a single environment variable, separated with ';'.
|
|
|
|
|
|
|
|
* Bugfixes:
|
|
|
|
|
|
|
|
* Fix the [MAP] option for MellonCond.
|
|
|
|
|
|
|
|
* Fix cookie deletion for the session cookie. (Logout is not dependent
|
|
|
|
on the cookie being deleted, so this only fixes the cookie showing
|
|
|
|
up after the session is deleted.)
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2014-09-01 10:11:54 +02:00
|
|
|
Version 0.9.1
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Bugfixes:
|
|
|
|
|
|
|
|
* Fix session offset calculation that prevented us from having
|
|
|
|
active sessions at once.
|
|
|
|
|
|
|
|
* Run mod_auth_mellon request handler before most other handlers,
|
|
|
|
so that other handlers cannot block it by accident.
|
|
|
|
|
|
|
|
|
2014-08-27 14:32:12 +02:00
|
|
|
Version 0.9.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Set the AssertionConsumerServiceURL attribute in authentication
|
|
|
|
requests.
|
|
|
|
|
|
|
|
* Bugfixes:
|
|
|
|
|
|
|
|
* Fix use of uninitialized data during logout.
|
|
|
|
|
|
|
|
* Fix session entry overflow leading to segmentation faults.
|
|
|
|
|
|
|
|
* Fix looking up sessions by NameID, which is used during logout.
|
|
|
|
|
2014-12-18 10:59:02 +01:00
|
|
|
|
|
|
|
Version 0.8.1
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
This is a security release with fixes backported from version 0.9.1.
|
|
|
|
|
|
|
|
It turned out that session overflow bugs fixes in version 0.9.0 and
|
|
|
|
0.9.1 can lead to information disclosure, where data from one session
|
|
|
|
is leaked to another session. Depending on how this data is used by the
|
|
|
|
web application, this may lead to data from one session being disclosed
|
|
|
|
to an user in a different session. (CVE-2014-8566)
|
|
|
|
|
|
|
|
In addition to the information disclosure, this release contains some
|
|
|
|
fixes for logout processing, where logout requests would crash the
|
|
|
|
Apache web server. (CVE-2014-8567)
|
|
|
|
|
|
|
|
|
2014-06-24 10:24:36 +02:00
|
|
|
Version 0.8.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Add support for receiving HTTP-Artifact identifiers as POST data.
|
|
|
|
|
|
|
|
* Simplify caching headers.
|
|
|
|
|
|
|
|
* Map login errors into more appropriate HTTP error codes than
|
|
|
|
400 Bad Request.
|
|
|
|
|
|
|
|
* Add MellonNoSuccessErrorPage option to redirect to a error page on login
|
|
|
|
failure.
|
|
|
|
|
|
|
|
* Turn session storage into a dynamic pool of memory, which means that
|
|
|
|
attribute values (and other items) can have arbitrary sizes as long as
|
|
|
|
they fit in the session as a whole.
|
|
|
|
|
|
|
|
* Various bugfixes:
|
|
|
|
|
|
|
|
* Fix for compatibility with recent versions of CURL.
|
|
|
|
|
|
|
|
* Fix broken option MellonDoNotVerifyLogoutSignature.
|
|
|
|
|
|
|
|
* Fix deadlock that could occur during logout processing.
|
|
|
|
|
|
|
|
* Fix some compile warnings.
|
|
|
|
|
|
|
|
* Fix some NULL derefernce bugs that may lead to segmentation faults.
|
|
|
|
|
|
|
|
* Fix a minor memory leak during IdP metadata loading.
|
|
|
|
|
|
|
|
|
2013-05-30 09:45:15 +02:00
|
|
|
Version 0.7.0
|
2013-04-15 16:54:38 +02:00
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Add MellonSPentityId to control entityId in autogenerated metadata
|
|
|
|
|
2013-05-30 09:45:15 +02:00
|
|
|
* Fix compatibility with Apache 2.4.
|
|
|
|
|
|
|
|
* Handle empty RelayState the same as missing RelayState.
|
|
|
|
|
|
|
|
* Add MellonSetEvnNoPrefix directive to set environment variables
|
|
|
|
without "MELLON_"-prefix.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2013-03-22 12:44:07 +01:00
|
|
|
Version 0.6.1
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Fix the POST replay functionality when multiple users logging in
|
|
|
|
at once.
|
|
|
|
|
|
|
|
* Add a fallback for the case where the POST replay data has expired
|
|
|
|
before the user logs in.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2013-03-06 13:54:28 +01:00
|
|
|
Version 0.6.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Backwards-incompatible changes:
|
|
|
|
|
|
|
|
* The POST replay functionality has been disabled by default, and the
|
|
|
|
automatic creation of the MellonPostDirectory target directory has been
|
|
|
|
removed. If you want to use the POST replay functionality, take a
|
|
|
|
look at the README file for instructions for how to enable this.
|
|
|
|
|
|
|
|
* Start discovery service when accessing the login endpoint. We used
|
|
|
|
to bypass the discovery service in this case, and just pick the first
|
|
|
|
IdP. This has been changed to send a request to the discovery service
|
|
|
|
instead, if one is configured.
|
|
|
|
|
|
|
|
* The MellonLockFile default path has been changed to:
|
|
|
|
/var/run/mod_auth_mellon.lock
|
|
|
|
This only affects platforms where a lock file is required and
|
|
|
|
where Apache doesn't have write access to that directory during
|
|
|
|
startup. (Apache can normally create files in that directory
|
|
|
|
during startup.)
|
|
|
|
|
|
|
|
Other changes:
|
|
|
|
|
|
|
|
* Fix support for SOAP logout.
|
|
|
|
|
|
|
|
* Local logout when IdP does not support SAML 2.0 Single Logout.
|
|
|
|
|
|
|
|
* MellonDoNotVerifyLogoutSignature option to disable logout signature
|
|
|
|
validation.
|
|
|
|
|
|
|
|
* Support for relative file paths in configuration.
|
|
|
|
|
|
|
|
* The debian build-directory has been removed from the repository.
|
|
|
|
|
|
|
|
* Various cleanups and bugfixes:
|
|
|
|
|
|
|
|
* Fix cookie parsing header parsing for some HTTP libraries.
|
|
|
|
|
|
|
|
* Fix inheritance of MellonAuthnContextClassRef option.
|
|
|
|
|
|
|
|
* Use ap_set_content_type() instead of accessing request->content_type.
|
|
|
|
|
|
|
|
* README indentation cleanups.
|
|
|
|
|
|
|
|
* Support for even older versions of GLib.
|
|
|
|
|
|
|
|
* Fixes for error handling during session initialization.
|
|
|
|
|
2013-03-15 10:08:47 +01:00
|
|
|
* Directly link with GLib rather than relying on the Lasso library
|
|
|
|
linking to it for us.
|
|
|
|
|
2013-03-06 13:54:28 +01:00
|
|
|
* Some code cleanups.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2012-04-16 11:13:09 +02:00
|
|
|
Version 0.5.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Honour MellonProbeDiscoveryIdP order when sending probes.
|
|
|
|
|
|
|
|
* MellonAuthnContextClassRef configuration directive, to limit
|
|
|
|
authentication to specific authentication methods.
|
|
|
|
|
|
|
|
* Support for the HTTP-POST binding when sending authentication
|
|
|
|
requests to the IdP.
|
|
|
|
|
|
|
|
* MellonSubjectConfirmationDataAddressCheck option to disable received
|
|
|
|
address checking.
|
|
|
|
|
|
|
|
* Various cleanups and bugfixes:
|
|
|
|
|
|
|
|
* Support for older versions of GLib and APR.
|
|
|
|
|
|
|
|
* Send the correct SP entityID to the discovery service.
|
|
|
|
|
|
|
|
* Do not set response headers twice.
|
2011-12-05 20:06:44 +01:00
|
|
|
|
2012-04-16 11:13:09 +02:00
|
|
|
* Several cleanups in the code that starts authentication.
|
2011-12-05 20:06:44 +01:00
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2011-05-18 12:49:37 +02:00
|
|
|
Version 0.4.0
|
2011-03-02 14:08:09 +01:00
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Allow MellonUser variable to be translated through MellonSetEnv
|
|
|
|
|
2011-03-09 07:20:16 +01:00
|
|
|
* A /mellon/probeDisco endpoint replaces the builtin:get-metadata
|
|
|
|
IdP dicovery URL scheme
|
|
|
|
|
2011-03-17 06:20:40 +01:00
|
|
|
* New MellonCond directive to enable attribute filtering beyond
|
|
|
|
MellonRequire functionalities.
|
|
|
|
|
2011-03-23 16:05:19 +01:00
|
|
|
* New MellonIdPMetadataGlob directive to load mulitple IdP metadata
|
|
|
|
using a glob(3) pattern.
|
|
|
|
|
2011-05-18 12:49:37 +02:00
|
|
|
* Support for running behind reverse proxy.
|
|
|
|
|
|
|
|
* MellonCookieDomain and MellonCookiePath options to configure cookie
|
|
|
|
settings.
|
|
|
|
|
|
|
|
* Support for loading federation metadata files.
|
|
|
|
|
|
|
|
* Several bugfixes.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2010-08-12 13:06:32 +02:00
|
|
|
Version 0.3.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* New login-endpoint, which allows easier manual initiation of login
|
|
|
|
requests, and specifying parameters such as IsPassive.
|
|
|
|
|
|
|
|
* Validation of Conditions and SubjectConfirmation data in the assertion
|
|
|
|
we receive from the IdP.
|
|
|
|
|
|
|
|
* Various bugfixes.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2010-05-31 13:15:49 +02:00
|
|
|
Version 0.2.7
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
2010-08-12 13:06:32 +02:00
|
|
|
* Optionaly save the remote IdP entityId in the environment
|
2010-05-31 13:15:49 +02:00
|
|
|
|
2010-05-31 13:19:26 +02:00
|
|
|
* Shibboleth 2 interoperability
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2009-12-21 15:06:29 +01:00
|
|
|
Version 0.2.6
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Fix XSS/DOS vulnerability in repost handler.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2009-11-09 14:46:28 +01:00
|
|
|
Version 0.2.5
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Replay POST requests after been sent to the IdP
|
|
|
|
|
2009-11-16 10:20:06 +01:00
|
|
|
* Fix HTTP response splitting vulnerability.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2009-08-11 15:52:06 +02:00
|
|
|
Version 0.2.4
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Fix for downloads of files with Internet Explorer with SSL enabled.
|
|
|
|
|
|
|
|
* Mark session as disabled as soon as logout starts, in case the IdP
|
|
|
|
doesn't respond.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2009-08-07 14:57:02 +02:00
|
|
|
Version 0.2.3
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Bugfix for session lifetime. Take the session lifetime from the
|
|
|
|
SessionNotOnOrAfter attribute if it is present.
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2009-06-15 16:10:23 +02:00
|
|
|
Version 0.2.2
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Improve metadata autogeneration: cleanup certificate, allow Organizarion
|
|
|
|
element data to be supplied from Apache configuration
|
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2009-06-05 22:17:14 +02:00
|
|
|
Version 0.2.1
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Make SAML authentication assertion and Lasso session available in the
|
2015-09-18 16:35:04 +02:00
|
|
|
environment.
|
2009-06-05 22:17:14 +02:00
|
|
|
|
2018-03-16 07:37:52 +01:00
|
|
|
|
2009-05-13 08:44:04 +02:00
|
|
|
Version 0.2.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.)
|
|
|
|
|
|
|
|
* Multiple IdP support, with discovery service.
|
|
|
|
|
|
|
|
* Built in discovery service which tests the availability of each IdP,
|
|
|
|
and uses the first available IdP.
|
|
|
|
|
|
|
|
* Fix a mutex leak.
|
|
|
|
|
|
|
|
|
2009-03-06 09:34:29 +01:00
|
|
|
Version 0.1.1
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* MellonSecureCookie option, which enables Secure + HttpOnly flags on
|
|
|
|
session cookies.
|
|
|
|
|
|
|
|
* Better handling of logout request when the user is already logged out.
|
|
|
|
|
|
|
|
|
2008-11-11 22:05:50 +01:00
|
|
|
Version 0.1.0
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Better support for BSD.
|
|
|
|
|
|
|
|
* Support for setting a IdP CA certificate and SP certificate.
|
|
|
|
|
|
|
|
* Support for loading the private key during web server initialization.
|
|
|
|
With this, the private key only needs to be readable by root. This
|
|
|
|
requires a recent version of Lasso to work.
|
|
|
|
|
|
|
|
* Better DOS resistance, by only allocating a session when the user has
|
|
|
|
authenticated with the IdP.
|
|
|
|
|
|
|
|
* Support for IdP initiated login. The MellonDefaultLoginPath option can
|
|
|
|
be to configure which page the user should land on after authentication.
|
|
|
|
|
|
|
|
|
2007-10-01 09:47:39 +02:00
|
|
|
Version 0.0.7
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
* Renamed the logout endpoint from "logoutRequest" to "logout".
|
|
|
|
"logoutRequest" is now an alias for "logout", and may be removed in the
|
|
|
|
future.
|
|
|
|
|
|
|
|
* Added SP initiated logout. To initiate a logout from the web site, link
|
|
|
|
the user to the logout endpoint, with a ReturnTo parameter with the url
|
|
|
|
the user should be redirected to after being logged out. Example url:
|
|
|
|
"https://www.example.com/secret/endpoint/logout
|
|
|
|
?ReturnTo=http://www.example.com/". (Note that this should be on a
|
|
|
|
single line.)
|
2007-10-01 11:45:01 +02:00
|
|
|
|
|
|
|
* Fixed a memory leak on login.
|
2007-10-26 15:37:54 +02:00
|
|
|
|
|
|
|
* Increased maximum Lasso session size to 8192 from 3074. This allows us to
|
|
|
|
handle users with more attributes.
|
2007-12-11 09:00:06 +01:00
|
|
|
|
|
|
|
* Fixed handling of multiple AttributeValue elements in response.
|