Changelog
0.7 - 2013-05-09 - "Sorry for the wait"-Edition
Upgrade notes: The database schema has slightly changed in a backward-compatible way. If you are
upgrading from a previous version of uLogin, you should make the following changes
in order to get all the fixes and to accomodate new features:
- Increase "user"/"username" fields varchar length to 400 in tables ul_log and ul_logins
- Increase "password" field varchar length to 2048 in table ul_logins
- Increase "id" field varchar length to 128 in table ul_sessions
- All strings are ascii, except for user/usernames which are utf8
Changes:
- Add support for server-side proxies and load balancers (see UL_PROXY_HEADER in config).
- Add support for PBKDF2 as password hash (see UL_PWD_FUNC in config).
- Add support for getting OpenID attributes in class ulOpenIdLoginBackend.
- UL_BCRYPT_ROUNDS renamed to UL_PWD_ROUNDS (API break).
- Overhaul of built-in username checking (API break). UL_ALPHANUMERIC_USER replaced by UL_USERNAME_CHECK. When upgrading, adjust based on your old config to prevent locking out some of your existing users!
- Make sure that only printable salts are produced.
- Add support for Yahoo's special case in the OpenID backend
- Make example.php unicode-aware
- Give deprecation warning for PHP 5.2 in installCheck.php. PHP 5.2 is still supported in this version.
- Fix: ulUtils::ValidateIP() always returns false.
- Fix: ulUtils::GetRemoteIP() was not used everywhere where it should have been.
- Fix: Nonce expiry broken on PHP 5.2 (DateTime serialization issue).
- Fix: SMD5 and SSHA hash verification broken due to missing base64_decode().
- Fix: Database creation scripts impose incorrect limits on username and password fields.
- Fix: Database field limit for session ID can be too short for non-default PHP settings.
- Fix: Wrong line endings in pdo/include.inc.php can cause PHP parse error.
0.6 - 2012-08-15
- Add debug window for debugging sessions.
- Remove optional automatic login in uLogin::CreateUser. Host should explicitly log in if desired.
- Made HTTP_REFERER check optional (UL_SESSION_CHECK_REFERER in config).
- Made IP check optional (UL_SESSION_CHECK_IP in config).
- Extended list of common passwords used for password strength estimation.
- Source files no longer include config files from a fixed path. This allows for multi-site deployment.
- Remove include_path modification, since all uLogin files are included using absolute paths anyway.
- When scoring password strength, check if the password is the same as the username.
- Add ulUtils::PreventCaching() to... well, prevent caching of the current page.
- Add installCheck.php detection of settings that need attention with AJAX (UL_USES_AJAX in config).
- Minor license modification. Still BSD, so no worries.
- Fix: Get rid of window of vulnerability when non-probabilistically regenerating session id.
- Fix: Remove HTTP_ACCEPT* session checks. These cannot be relied upon. Fixes unwanted session drops.
- Fix: Utils::ValidateIP called as a global function.
- Fix: Rename generic class names to begin with "ul" to avoid name collision with other code.
0.5 - 2012-06-24
- localhost development support. See updated comments on UL_DOMAIN in config.inc.php.
- Slightly more reliable session hijack prevention, by better fingerprinting
- User-specific session token generation for replay prevention
- No need to use HMAC in session and autologin name generation. It wasn't more secure but slower.
- Make data in $_SESSION['nonsensitive'] survive invalidated sessions
- Increase default nonce expiry to 15 minutes
- Rename method fail() to ul_fail() to avoid collision with other software.
- Clarified semantics of sses_running()
- Change double quotes to single quotes where possible
- UL_SESSION_EXPIRE will now only accept positive values
- Fix: Sessions expire too soon, after min(UL_NONCE_EXPIRE, UL_SESSION_EXPIRE) instead of UL_SESSION_EXPIRE seconds
- Fix: Try to avoid occasional "database locked" error for sqlite databases
- Fix: Some cookies were not using UL_DOMAIN
0.4 - 2012-01-06
Special note: This release has been contributed entirely by Jorge. Thank you!
Special note #2: Bcrypt hashes in this version are not compatible with older uLogin versions!
- Add SQLite compatibility and db-init-sqlite.sql file
- Automatically deal with mcrypt_create_iv() bug under Windows PHP < 5.3.7
- Use phpass-compatible bcrypt salts
- Updated example
- Fix: Remove trailing spaces after php closing tags (avoids "headers already sent")
- Fix: Suppress errors when open_basedir restriction is in effect
- Fix: Wrong function called to block IP
- Fix: User or IP blocking did not work if the user never had a successfull login
0.3 - 2011-09-05
- Support for new authentication backends:
- LDAP
- OpenID
- SSH2
- Duo Security
- Security enhancements:
- Session replay prevention
- Support for HTTP Strict Transport Security
- Custom session cookie name
- Much improved password strength estimation, based on entropy and dictionary
- Improved support for strong random number generation on Windows
- Additional checking and warnings in the installation script
- IP and user blocks now also apply for "remember me"
- PHP 5.2 compatibility
- Windows-PHP supported
- Greatly enhanced API
- Configurable HMAC hash function
- uLogin is no longer responsible for determining logged-in state
- Option to automatically start a secure session on each page
- Runtime selectable backends
- Renamed database tables to avoid collision with other software
- Even more lightweight, only loads what is really used
- Option to allow other username characters in addition to alphanumeric
- Added sses_invalidated() to replace old return semantic of sses_start()
- Changed return semantic of sses_start() to be compatible with session_start()
- Implement correct session record locking
- Verify disabled session.auto_start in installation script
- Got rid of MySQL'ism in query syntax to achieve true DBMS independence
- Support for additional password hashing schemes
- Provide cleanup cronscript
- IPv6 compatibilty
- Fix: IP and user block features could not be disabled
- Fix: Empty password was never accepted as valid
- Fix: Password was capped against UL_MAX_USERNAME_LENGTH
- Fix: Only alphanumeric passwords were allowed by a validation mistake
- Fix: Session store stops working after session destroy or close
- Fix: Some events were not logged
- Some other non-security bugfixes
0.2 - 2011-08-22
- New installation and security check script included
- Per-request tunable probability for session ID regeneration
- Support for changing password
- Clickjacking prevention
- Timing attack prevention
- Greatly increased autologin security
- Increased nonce security
- Persistent nonce support
- Slightly changed password hashing, incompatible with 0.1
- Option to only allow alphanumeric usernames
- Capped maximum username and password length
- Database backend rewritten with PDO, allowing to use different kinds of databases
- Made user blocking backend-specific
- Some small bugfixes
- Better error detection and reporting
- Workaround for crypt_blowfish bug CVE-2011-2483
- Change to BSD license
0.1 - 2011-08-15