PHP library: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
(Update for the move to GitHub)
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{unsupported}}
The UcamWebauth PHP class provides an application agent for making authentication requests to the UcamWebauth server that can be called from PHP.
The UcamWebauth PHP class provides an application agent for making authentication requests to the UcamWebauth server that can be called from PHP.


This could be useful if you wanted to embed authentication logic within a PHP web application. If all you want to do is Raven-protect some PHP-processed pages you'd probably be better using a mixture of container-managed
'''<span style="color: red">This module is not part of the Raven service and is not recommended or (officially) supported by UIS.</span>'''
and application-managed security such as that described [http://www.ucs.cam.ac.uk/raven/webmasters here]. There's some
additional [[Accessing authentication information|information about how authentication information can be accessed from PHP]].
 
'''<span style="color: red">This module is not part of the Raven service and is not recommended or (officially) supported by UIS. It is believed to be alpha-quality software (at best), to probably contain bugs, and to be in need of further development. However it could be a useful starting point for anyone wanting to use Raven and PHP.</span>'''
 
Note that versions of this library prior to 0.51 contained a security vulnerability, in that they used the value of the 'Host' header of an HTTP response to validate 'Authentication response' messages. The Host header is under the control of a potential attacker and, by altering it, an attacker might be able to replay an existing Authentication Response message against a site that relies on the PHP library. This problem is resolved in version 0.51, at the expense of an incompatible change: a securely-obtained host name must be supplied before invoking the library functions.
 
This problem also affected versions of this library identified as 0.6 and 0.61 that were distributed only as part of Raven authentication support for phpBB3 in early 2008, but updated phpBB/Raven kits (with V0.62, which provides the security fix) are available.
 
[NB Version 0.51 is '''not''' suitable as a replacement for 0.6/0.61, as the phpBB modifications require newly-added functionality that doesn't exist in 0.51. Conversely, the changes in 0.6/0.61/0.62 broke the old interface (as provided by 0.51 and earlier), so they cannot be used with software that uses the old interface. It is hoped that at some point in the future, a unified version will support both the old and new functionality.]
 
The code for this module is now available from the UCS git service, [https://git.csx.cam.ac.uk/x/ucs/raven/php.git here].
 
* [https://git.csx.cam.ac.uk/x/ucs/raven/php.git/blob_plain/HEAD:/ucam_webauth_php.txt Documentation]
* [https://git.csx.cam.ac.uk/x/ucs/raven/php.git/tree Distribution]


This module is distributed under the terms of the GNU Lesser General Public License and is currently minimally maintained by [[person:jw35 | Jon Warbrick]] and [[person:jml4 | John Line]].
The code for this module is now maintained on GitHub at https://github.com/cambridgeuniversity/ucam-webauth-php. Please use the GitHub issue tracker to record problems and request enhancements. Pull requests containing bug fixes and enhancements are welcome -- UIS minimally-manages the repository and aims to merge all reasonable offerings.

Latest revision as of 10:00, 19 May 2017

The Raven-related software described on this page is NOT supported or maintained by University Information Services. It is provided here in the hope that it may be useful, but it may contain bugs and security vulnerabilities. It may be supported and maintained by others. You should evaluate whether it meets you particular needs before using it.

The UcamWebauth PHP class provides an application agent for making authentication requests to the UcamWebauth server that can be called from PHP.

This module is not part of the Raven service and is not recommended or (officially) supported by UIS.

The code for this module is now maintained on GitHub at https://github.com/cambridgeuniversity/ucam-webauth-php. Please use the GitHub issue tracker to record problems and request enhancements. Pull requests containing bug fixes and enhancements are welcome -- UIS minimally-manages the repository and aims to merge all reasonable offerings.