PHP library: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(Add lookup link for jw35)
(Add note about 0.5 security problem)
Line 4: Line 4:


This module is really alpha-quality software and in need of further development. However it could be a useful starting point for anyone wanting to user Raven and PHP.
This module is really alpha-quality software and in need of further development. However it could be a useful starting point for anyone wanting to user Raven and PHP.
Note that versions of this library prior to 0.51 contained a security vulnerability, in that they used the value of the 'Host' header of an HTTP response to validate 'Authentication response' messages. The Host header is under the control of a potential attacker and, by altering it, an attacker might be able to replay an existing Authentication Response message against a site that relies on the PHP library. This problem is resolved in version 0.51, at the expense of ran incompatible change: a securely-obtained host name be supplied before invoking the library functions. This problem also affected versions of this library identified as 0.6 and 0.61 that were distributed only as part of Raven authentication support for phpBB3 in early 2008.


* [http://raven.cam.ac.uk/project/php/files/ucam_webauth_php.txt Documentation]
* [http://raven.cam.ac.uk/project/php/files/ucam_webauth_php.txt Documentation]
* [http://raven.cam.ac.uk/project/php/files/ Distribution]
* [http://raven.cam.ac.uk/project/php/files/ Distribution]


This module is distributed under the terms of the GNU Lesser General Public License and is currently minimally maintained by [[person:jw35 | Jon Warbrick]]
This module is distributed under the terms of the GNU Lesser General Public License and is currently minimally maintained by [[person:jw35 | Jon Warbrick]] and [[person:jml4 | John Line]].

Revision as of 08:57, 29 April 2008

The UcamWebauth PHP class provides an application agent for making authentication requests to the UcamWebauth server that can be called from PHP.

This could be useful if you wanted to embed authentication logic within a PHP web application. If all you want to do is Raven-protect some PHP-processed pages you'd probably be better using container-managed security such as that provided by the Raven Apache modules.

This module is really alpha-quality software and in need of further development. However it could be a useful starting point for anyone wanting to user Raven and PHP.

Note that versions of this library prior to 0.51 contained a security vulnerability, in that they used the value of the 'Host' header of an HTTP response to validate 'Authentication response' messages. The Host header is under the control of a potential attacker and, by altering it, an attacker might be able to replay an existing Authentication Response message against a site that relies on the PHP library. This problem is resolved in version 0.51, at the expense of ran incompatible change: a securely-obtained host name be supplied before invoking the library functions. This problem also affected versions of this library identified as 0.6 and 0.61 that were distributed only as part of Raven authentication support for phpBB3 in early 2008.

This module is distributed under the terms of the GNU Lesser General Public License and is currently minimally maintained by Jon Warbrick and John Line.