uLogin PHP Authentication Library

• About
• Download
• Usage
• FAQ
• Changelog
• Contribute

Changelog

0.7 - 2013-05-09 - "Sorry for the wait"-Edition

Upgrade notes: The database schema has slightly changed in a backward-compatible way. If you are upgrading from a previous version of uLogin, you should make the following changes in order to get all the fixes and to accomodate new features:

• Increase "user"/"username" fields varchar length to 400 in tables ul_log and ul_logins
• Increase "password" field varchar length to 2048 in table ul_logins
• Increase "id" field varchar length to 128 in table ul_sessions
• All strings are ascii, except for user/usernames which are utf8

Changes:

• Add support for server-side proxies and load balancers (see UL_PROXY_HEADER in config).
• Add support for PBKDF2 as password hash (see UL_PWD_FUNC in config).
• Add support for getting OpenID attributes in class ulOpenIdLoginBackend.
• UL_BCRYPT_ROUNDS renamed to UL_PWD_ROUNDS (API break).
• Overhaul of built-in username checking (API break). UL_ALPHANUMERIC_USER replaced by UL_USERNAME_CHECK. When upgrading, adjust based on your old config to prevent locking out some of your existing users!
• Make sure that only printable salts are produced.
• Add support for Yahoo's special case in the OpenID backend
• Make example.php unicode-aware
• Give deprecation warning for PHP 5.2 in installCheck.php. PHP 5.2 is still supported in this version.
• Fix: ulUtils::ValidateIP() always returns false.
• Fix: ulUtils::GetRemoteIP() was not used everywhere where it should have been.
• Fix: Nonce expiry broken on PHP 5.2 (DateTime serialization issue).
• Fix: SMD5 and SSHA hash verification broken due to missing base64_decode().
• Fix: Database creation scripts impose incorrect limits on username and password fields.
• Fix: Database field limit for session ID can be too short for non-default PHP settings.
• Fix: Wrong line endings in pdo/include.inc.php can cause PHP parse error.

0.6 - 2012-08-15

• Add debug window for debugging sessions.
• Remove optional automatic login in uLogin::CreateUser. Host should explicitly log in if desired.
• Made HTTP_REFERER check optional (UL_SESSION_CHECK_REFERER in config).
• Made IP check optional (UL_SESSION_CHECK_IP in config).
• Extended list of common passwords used for password strength estimation.
• Source files no longer include config files from a fixed path. This allows for multi-site deployment.
• Remove include_path modification, since all uLogin files are included using absolute paths anyway.
• When scoring password strength, check if the password is the same as the username.
• Add ulUtils::PreventCaching() to... well, prevent caching of the current page.
• Add installCheck.php detection of settings that need attention with AJAX (UL_USES_AJAX in config).
• Minor license modification. Still BSD, so no worries.
• Fix: Get rid of window of vulnerability when non-probabilistically regenerating session id.
• Fix: Remove HTTP_ACCEPT* session checks. These cannot be relied upon. Fixes unwanted session drops.
• Fix: Utils::ValidateIP called as a global function.
• Fix: Rename generic class names to begin with "ul" to avoid name collision with other code.

0.5 - 2012-06-24

• localhost development support. See updated comments on UL_DOMAIN in config.inc.php.
• Slightly more reliable session hijack prevention, by better fingerprinting
• User-specific session token generation for replay prevention
• No need to use HMAC in session and autologin name generation. It wasn't more secure but slower.
• Make data in $_SESSION['nonsensitive'] survive invalidated sessions
• Increase default nonce expiry to 15 minutes
• Rename method fail() to ul_fail() to avoid collision with other software.
• Clarified semantics of sses_running()
• Change double quotes to single quotes where possible
• UL_SESSION_EXPIRE will now only accept positive values
• Fix: Sessions expire too soon, after min(UL_NONCE_EXPIRE, UL_SESSION_EXPIRE) instead of UL_SESSION_EXPIRE seconds
• Fix: Try to avoid occasional "database locked" error for sqlite databases
• Fix: Some cookies were not using UL_DOMAIN

0.4 - 2012-01-06

Special note: This release has been contributed entirely by Jorge. Thank you!
Special note #2: Bcrypt hashes in this version are not compatible with older uLogin versions!

• Add SQLite compatibility and db-init-sqlite.sql file
• Automatically deal with mcrypt_create_iv() bug under Windows PHP < 5.3.7
• Use phpass-compatible bcrypt salts
• Updated example
• Fix: Remove trailing spaces after php closing tags (avoids "headers already sent")
• Fix: Suppress errors when open_basedir restriction is in effect
• Fix: Wrong function called to block IP
• Fix: User or IP blocking did not work if the user never had a successfull login

0.3 - 2011-09-05

• Support for new authentication backends:
  • LDAP
  • OpenID
  • SSH2
  • Duo Security
• Security enhancements:
  • Session replay prevention
  • Support for HTTP Strict Transport Security
  • Custom session cookie name
  • Much improved password strength estimation, based on entropy and dictionary
  • Improved support for strong random number generation on Windows
  • Additional checking and warnings in the installation script
  • IP and user blocks now also apply for "remember me"
• PHP 5.2 compatibility
• Windows-PHP supported
• Greatly enhanced API
• Configurable HMAC hash function
• uLogin is no longer responsible for determining logged-in state
• Option to automatically start a secure session on each page
• Runtime selectable backends
• Renamed database tables to avoid collision with other software
• Even more lightweight, only loads what is really used
• Option to allow other username characters in addition to alphanumeric
• Added sses_invalidated() to replace old return semantic of sses_start()
• Changed return semantic of sses_start() to be compatible with session_start()
• Implement correct session record locking
• Verify disabled session.auto_start in installation script
• Got rid of MySQL'ism in query syntax to achieve true DBMS independence
• Support for additional password hashing schemes
• Provide cleanup cronscript
• IPv6 compatibilty
• Fix: IP and user block features could not be disabled
• Fix: Empty password was never accepted as valid
• Fix: Password was capped against UL_MAX_USERNAME_LENGTH
• Fix: Only alphanumeric passwords were allowed by a validation mistake
• Fix: Session store stops working after session destroy or close
• Fix: Some events were not logged
• Some other non-security bugfixes

0.2 - 2011-08-22

• New installation and security check script included
• Per-request tunable probability for session ID regeneration
• Support for changing password
• Clickjacking prevention
• Timing attack prevention
• Greatly increased autologin security
• Increased nonce security
• Persistent nonce support
• Slightly changed password hashing, incompatible with 0.1
• Option to only allow alphanumeric usernames
• Capped maximum username and password length
• Database backend rewritten with PDO, allowing to use different kinds of databases
• Made user blocking backend-specific
• Some small bugfixes
• Better error detection and reporting
• Workaround for crypt_blowfish bug CVE-2011-2483
• Change to BSD license

0.1 - 2011-08-15

• First release

---

Copyright (c) 2011-2012, Karoly Pados

Kindly hosted by