simpleid/CHANGELOG.txt

SimpleID 1.0.6
--------------

- Enhancements:
    * Update autocomplete setting for one time password fields
- Bug fixes:
    * #86 Further fix to compatibility with PHP 8.2

SimpleID 1.0.5
--------------

- Bug fixes:
    * #85 Fix compatibility with PHP 8.2

SimpleID 1.0.4
--------------

- Bug fixes:
    * #81 Cache cleanup does not cover subdirectories


SimpleID 1.0.3
--------------

- Security enhancements:
    * #23 Configuration can now be in a separate conf directory
- Bug fixes:
    * #35 Fix undefined index error in discovery.inc.php

SimpleID 1.0.2
--------------

- Bug fixes:
    * #158 Incorrect handling of fsock-based HTTP requests

SimpleID 1.0.1
--------------

- Bug fixes:
    * #154 Duplicate random_bytes() function as it is now also a native
      function in PHP7
    * #155 Infinite loop in cache.inc if a particular cache type has not been
      created


SimpleID 1.0
------------

- Security enhancements:
    * #149 Add PBKDF2 to available password hashing algorithms to improve
      hashing security
    * #150 Changed hash string comparison function to mitigate against
      timing attacks


SimpleID 0.9.1
--------------

- Bug fixes:
    * #147 Incorrect update_access_check warning when upgrading
    * #148 Identity files with certlogin can now be symlinked from the
      identities directory


SimpleID 0.9
------------

- Security enhancements:
    * #9 Changed file extensions from .inc to .php
    * #69 #71 Require HTTPS for login pages
    * #100 Restricted path and added http_only flag for session cookies
    * #101 Implemented HTTP strict transport security header
    * #130 Added support for TOTP one-time passwords
- Improvements to identity files:
    * #21 Allow non-MD5 hash algorithms and salted passwords
    * #137 Identity files can now be symlinked from the identities
      directory
- Improvements to user interface:
    * #93 #106 Localization support
    * #103 Enhanced simpleweb error pages
    * #138 Refactored style sheets for better mobile device support
- New extension:
    * #85 certauth extension for authentication using client SSL
      certificates
- Improvements to SimpleID internals:
    * #58 #72 Dropped support for PHP 4 and fixed up PHP syntax
      warnings
    * #110 Refactored authentication system to allow for custom authentication
      extensions
    * #131 Refactored cache system to improve performance
    * #132 Refactored "remember me" cookies

SimpleID 0.8.5
--------------

- Bug fixes:
    * #129 Fixed bug introduced in 0.8.4 regarding Warning if
      suhosin.get.max_value_length configuration setting is too low
    * #134 PHP syntax warnings under PHP 5.3

SimpleID 0.8.4
--------------

- Bug fixes:
    * #123 Updated user interface to reflect change in SimpleID web site URL
    * #125 Fixed line ending (CRLF vs LF) bug introduced when migrating from
      SVN to Git
    * #122 Fixed PEAR package not loading PEAR_Config
    * #133 Fixed bug in bignum.inc where bignum_new() was returning $false
      instead of false
- Improvements to SimpleID internals:
    * #129 Warning if suhosin.get.max_value_length configuration setting
      is too low

SimpleID 0.8.3
--------------

- Bug fixes:
    * #119 Remove XRDS-Simple Type element from template.xtpl for Blogger
      interoperability

SimpleID 0.8.2
--------------

- Bug fixes:
    * #104 Detect missing PHP extensions
    * #105 Incorrect CSS property in simpleid.css
    * #108 Incorrect footer links
    * #109 Incorrect processing of HTTP requests and responses when used with
      SAPI CGI
    * #112 Incorrect reference to html/consent.js in page.inc
- Improvements to user interface:      
    * #111 Replaced packaged version of jQuery with CDN version

SimpleID 0.8.1
--------------

- Bug fixes:
    * #77 Incorrect detection of register_globals PHP configuration variable
    * #86 PHP syntax warnings in filesystem.store.inc
    * #88 Updated URL to Simple Registration Extension specification in
      example.identity.dist
    * #91 Missing parameters in simpleid_checkid_error()
    * #92 Corrected path handling in simpleweb
    * #98 Missing global variable in simpleid_openid_consent()
- Improvements to user interface:
    * #94 Switch redirects from form-based to HTTP header-based
- Improvements to the PAPE extension
    * #95 Added private personal identifiers
    

SimpleID 0.8
------------

- Improved OpenID specification compliance:
    * Added read-only support for attribute exchange extension
    * Addes support for provider authentication policy extension 
- Improvements to user interfaces:
    * #14 Added support for clean URLs
    * #18 Improved comformance to HTML specifications in user interface
    * #19 For OpenID immediate requests, assertion will not fail simply because
      return_to has not been verified
    * #23 Optional support for browsers to save SimpleID passwords
- Improvements to SimpleID internals:
    * Refactored function names
    * Refactored function layout in discovery.inc and openid.inc
    * Opened up identity store code to allow support for non filesystem based
      identity files
    * Improved source code documentation
    
SimpleID 0.7.6
--------------

- Fixed directory traversal vulnerability SA-2011-1
  (http://simpleid.sourceforge.net/advisories/sa-2011-1)

SimpleID 0.7.5
--------------

- Bug fixes:
    * #61 PHP safe mode causing curl configuration issues
    * #64 Issue with URL parsing under Simpleweb framework


SimpleID 0.7.4
--------------

- Fixed incorrect implementation of fix for PHP's handling of HTTP parameters.


SimpleID 0.7.3
--------------

- Bug fixes:
    * #47 PHP syntax warnings in discovery.inc.
    * #48 PHP syntax warnings in user.inc.
    * #50 Fix for PHP's handling of HTTP parameters.


SimpleID 0.7.2
--------------

- Bug fixes:
    * #40 PHP syntax warnings in simpleweb.inc.
    * #42 PHP syntax warnings in index.php.


SimpleID 0.7.1
--------------

- Bug fixes:
    * Incorrect specification for expiry time for auto login.
    * Fixed verification of credentials under legacy authentication.
    * Fixed incorrect signing of Simple Registration Extension response.
    * Fixed Javascript for digest authentication.
    * Used Javascript instead of forms for page redirection for better HTTPS
      user experience.


SimpleID 0.7
------------

- Improved OpenID specification compliance:
    * Added additional return_to verification using discovery.
    * Fixed support for SHA256.
    * Fixed indirect message URL encoding.
    * Fixed filtering of extension-specific parameters.
    * Fixed XRDS document for SimpleID.
- Preliminary implementation of the OpenID User Interface extension.
- Added support for GMP for improved performance for arbitary precision
  arithmetic operations.
- Improved user interface:
    * Separated Dashboard, My Profile and My Sites pages.
    * Added "log in as different user" functionality.
    * CSS improvements.
    * Added framekiller code.
    * Support for nicer URLs via mod_rewrite.
- Enhanced detection of SSL/TLS for user login page.
- Implemented flexible persistent storage system to store user data.
- Improved extension framework: major refactoring of hooks available to be
  utilised by extensions.
- Improved URL routing framework: included simpleweb.inc.
- Added upgrade script.
- Enhanced logging of status and errors.
- Enhanced code documentation.


SimpleID 0.6.5
--------------

- Bug fixes:
    * Fixed XSS vulnerability in user login page.
    * Fixed XRDS-Location HTTP header.


SimpleID 0.6.4
--------------

- Fixed user interface bug on trusted sites page (disable Submit button when
  there are no trusted sites).


SimpleID 0.6.3
--------------

- Fixed session_type verification response when using OpenID 1.1 associations.


SimpleID 0.6.2
--------------

- Fixed session_type verification issue when using OpenID 1.1 associations.


SimpleID 0.6.1
--------------
  
- Fixed return_to verification issue when using OpenID 1.1 (legacy handling of
  nonce parameter).

SimpleID 0.6
------------

- Bug fixes:
    * Fixed syntax errors in openid.inc.
    * Fixed incorrect error authentication response.
- Implemented digest authentication for user login (security enhancements).
- Implemented persistent login
- Enhanced form security:
    * Added form token verification.
    * Enhanced encoding of HTML special characters.
- Improved compliance against OpenID specifications:
    * Added return_to verification.
- Changed extension of extensions from .inc to .extension.inc.
- Enhanced code documentation.


SimpleID 0.5.1
--------------

- Bug fixes:
    * Removed remnants of maths question (removed in SimpleID 0.5) from user.inc
- Included Simple Registration Extension by default


SimpleID 0.5
------------

- Bug fixes:
    * Removed XSS vulnerabilities
    * Fixed incorrect processing of Simple Registration Extension parameters
    * Fixed URL for identifier selection.
- The identifier variable is now optional in identity files.  SimpleID automatically
  assigns an identifier to all identities where this is not specified.
- Log in security improvements:
    * Removed requirement to complete a maths question to log in.
    * Added nonce check into login page to detect repeat attacks.
- Improved compliance against OpenID specifications:
    * Enhanced support for OpenID 2.0.
    * Enhanced checking of request parameters.
    * Added support for discovery of SimpleID services via XRDS.
- Support for SHA256 where this is compiled into PHP.
- Added default profile page and XRDS document for each user.


SimpleID 0.2.1
--------------

- Bug fixes:
    * Removed incorrect and legacy handling of nonce parameter in OpenID 1.1
      authentication responses


SimpleID 0.2
------------

- Bug fixes:
    * Fixed template compile error in Simple Registration Extension.


SimpleID 0.1
------------

- Initial release