Merge pull request #9 from nitmir/dev

Update to version 0.6.2
2016-08-02 14:44:30 +02:00 · 2016-08-02 14:44:30 +02:00 · ba59060763
parent 8b27b8c5e0 773707e6c3
commit ba59060763
36 changed files with 1255 additions and 699 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,8 +1,6 @@
 language: python
 matrix:
  include:
  - python: "2.7"
    env: TOX_ENV=coverage
  - python: "2.7"
    env: TOX_ENV=flake8
  - python: "2.7"
@ -23,6 +21,8 @@ matrix:
    env: TOX_ENV=py35-django18
  - python: "3.5"
    env: TOX_ENV=py35-django19
  - python: "2.7"
    env: TOX_ENV=coverage
 cache:
  directories:
    - $HOME/.cache/pip/http/
--- a/4
+++ b/4
@ -38,7 +38,7 @@ dist:
 test_venv/bin/python:
 	virtualenv test_venv
-	test_venv/bin/pip install -U --requirement requirements-dev.txt Django
+	test_venv/bin/pip install -U --requirement requirements-dev.txt 'Django<1.10'
 test_venv/cas/manage.py: test_venv
 	mkdir -p test_venv/cas
@ -62,7 +62,7 @@ run_server: test_project
 run_tests: test_venv
 	python setup.py check --restructuredtext --stric
-	test_venv/bin/py.test --cov=cas_server --cov-report html
+	test_venv/bin/py.test -rw -x --cov=cas_server --cov-report html
 	rm htmlcov/coverage_html.js  # I am really pissed off by those keybord shortcuts
 test_venv/bin/sphinx-build: test_venv
--- a/README.rst
+++ b/README.rst
@ -29,11 +29,49 @@ Dependencies
 ``django-cas-server`` depends on the following python packages:
-* Django >= 1.7 < 1.10
+* Django >= 1.7.1 < 1.10
 * requests >= 2.4
 * requests_futures >= 0.9.5
 * lxml >= 3.4
-* six >= 1
+* six >= 1.8
 Minimal version of packages dependancy are just indicative and meens that ``django-cas-server`` has
 been tested with it. Previous versions of dependencies may or may not work.
 Additionally, denpending of the authentication backend you plan to use, you may need the following
 python packages:
 * ldap3
 * psycopg2
 * mysql-python
 Here there is a table with the name of python packages and the corresponding packages providing
 them on debian like systems and centos like systems.
 You should try as much as possible to use system packages as there are automatically updated then
 you update your system. You can then install Not Available (N/A)
 packages on your system using pip inside a virtualenv as described in the `Installation`_ section.
 For use with python3, just replace python(2) in the table by python3.
 +------------------+-------------------------+---------------------+
 | python package   | debian like systems     | centos like systems |
 +==================+=========================+=====================+
 | Django           | python-django           | python-django       |
 +------------------+-------------------------+---------------------+
 | requests         | python-requests         | python-requests     |
 +------------------+-------------------------+---------------------+
 | requests_futures | python-requests-futures | N/A                 |
 +------------------+-------------------------+---------------------+
 | lxml             | python-lxml             | python-lxml         |
 +------------------+-------------------------+---------------------+
 | six              | python-six              | python-six          |
 +------------------+-------------------------+---------------------+
 | ldap3            | python-ldap3            | python-ldap3        |
 +------------------+-------------------------+---------------------+
 | psycopg2         | python-psycopg2         | python-psycopg2     |
 +------------------+-------------------------+---------------------+
 | mysql-python     | python-mysqldb          | python2-mysql       |
 +------------------+-------------------------+---------------------+
 Installation
 ============
@ -63,14 +101,17 @@ The recommended installation mode is to use a virtualenv with ``--system-site-pa
    New python executable in cas/bin/python2
    Also creating executable in cas/bin/python
    Installing setuptools, pip...done.
 4. And `activate it <https://virtualenv.pypa.io/en/stable/userguide/#activate-script>`__::
    $ cd cas_venv/; . bin/activate
-4. Create a django project::
+5. Create a django project::
   $ django-admin startproject cas_project
   $ cd cas_project
-5. Install `django-cas-server`. To use the last published release, run::
+6. Install `django-cas-server`. To use the last published release, run::
    $ pip install django-cas-server
@ -81,11 +122,11 @@ The recommended installation mode is to use a virtualenv with ``--system-site-pa
    $ pip install -r requirements.txt
   Then, either run ``make install`` to create a python package using the sources of the repository
-   and install it with pip, or place the `cas_server` directory into your
+   and install it with pip, or place the ``cas_server`` directory into your
   `PYTHONPATH <https://docs.python.org/2/using/cmdline.html#envvar-PYTHONPATH>`_
-   (for instance by symlinking `cas_server` to the root of your django project).
+   (for instance by symlinking ``cas_server`` to the root of your django project).
-6. Open ``cas_project/settings.py`` in you favourite editor and follow the quick start section.
+7. Open ``cas_project/settings.py`` in you favourite editor and follow the quick start section.
 Quick start
@ -145,7 +186,7 @@ Quick start
 6. Start the development server and visit http://127.0.0.1:8000/admin/
   to add a first service allowed to authenticate user against the CAS
-   (you'll need the Admin app enabled). See the Service Patterns section bellow.
+   (you'll need the Admin app enabled). See the `Service Patterns`_ section bellow.
 7. Visit http://127.0.0.1:8000/cas/ to login with your django users.
@ -163,6 +204,8 @@ Template settings
 * ``CAS_LOGO_URL``: URL to the logo showed in the up left corner on the default
  templates. Set it to ``False`` to disable it.
 * ``CAS_FAVICON_URL``: URL to the favicon (shortcut icon) used by the default templates.
  Default is a key icon. Set it to ``False`` to disable it.
 * ``CAS_COMPONENT_URLS``: URLs to css and javascript external components. It is a dictionnary
  and it must have the five following keys: ``"bootstrap3_css"``, ``"bootstrap3_js"``,
  ``"html5shiv"``, ``"respond"``, ``"jquery"``. The default is::
@ -191,12 +234,14 @@ Template settings
 Authentication settings
 -----------------------
-*  ``CAS_AUTH_CLASS``: A dotted path to a class or a class implementing
+* ``CAS_AUTH_CLASS``: A dotted path to a class or a class implementing
-   ``cas_server.auth.AuthUser``. The default is ``"cas_server.auth.DjangoAuthUser"``
+  ``cas_server.auth.AuthUser``. The default is ``"cas_server.auth.DjangoAuthUser"``
  Available classes bundled with ``django-cas-server`` are listed below in the
  `Authentication backend`_ section.
-*  ``SESSION_COOKIE_AGE``: This is a django settings. Here, it control the delay in seconds after
+* ``SESSION_COOKIE_AGE``: This is a django settings. Here, it control the delay in seconds after
-   which inactive users are logged out. The default is ``1209600`` (2 weeks). You probably should
+  which inactive users are logged out. The default is ``1209600`` (2 weeks). You probably should
-   reduce it to something like ``86400`` seconds (1 day).
+  reduce it to something like ``86400`` seconds (1 day).
 * ``CAS_PROXY_CA_CERTIFICATE_PATH``: Path to certificate authorities file. Usually on linux
  the local CAs are in ``/etc/ssl/certs/ca-certificates.crt``. The default is ``True`` which
@ -212,13 +257,23 @@ Authentication settings
 Federation settings
 -------------------
-* ``CAS_FEDERATE``: A boolean for activating the federated mode (see the federate section below).
+* ``CAS_FEDERATE``: A boolean for activating the federated mode (see the `Federation mode`_
-  The default is ``False``.
+  section below). The default is ``False``.
 * ``CAS_FEDERATE_REMEMBER_TIMEOUT``: Time after witch the cookie use for "remember my identity
  provider" expire. The default is ``604800``, one week. The cookie is called
  ``_remember_provider``.
 New version warnings settings
 -----------------------------
 * ``CAS_NEW_VERSION_HTML_WARNING``: A boolean for diplaying a warning on html pages then a new
  version of the application is avaible. Once closed by a user, it is not displayed to this user
  until the next new version. The default is ``True``.
 * ``CAS_NEW_VERSION_EMAIL_WARNING``: A bolean sot sending a email to ``settings.ADMINS`` when a new
  version is available. The default is ``True``.
 Tickets validity settings
 -------------------------
@ -257,6 +312,7 @@ Tickets miscellaneous settings
 Mysql backend settings
 ----------------------
 Deprecated, see the `Sql backend settings`_.
 Only usefull if you are using the mysql authentication backend:
 * ``CAS_SQL_HOST``: Host for the SQL server. The default is ``"localhost"``.
@ -283,6 +339,64 @@ Only usefull if you are using the mysql authentication backend:
  The default is ``"crypt"``.
 Sql backend settings
 --------------------
 Only usefull if you are using the sql authentication backend. You must add a ``"cas_server"``
 database to `settings.DATABASES <https://docs.djangoproject.com/fr/1.9/ref/settings/#std:setting-DATABASES>`__
 as defined in the django documentation. It is then the database
 use by the sql backend.
 * ``CAS_SQL_USER_QUERY``: The query performed upon user authentication.
  The username must be in field ``username``, the password in ``password``,
  additional fields are used as the user attributes.
  The default is ``"SELECT user AS username, pass AS password, users.* FROM users WHERE user = %s"``
 * ``CAS_SQL_PASSWORD_CHECK``: The method used to check the user password. Must be one of the following:
  * ``"crypt"`` (see <https://en.wikipedia.org/wiki/Crypt_(C)>), the password in the database
    should begin this $
  * ``"ldap"`` (see https://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html)
    the password in the database must begin with one of {MD5}, {SMD5}, {SHA}, {SSHA}, {SHA256},
    {SSHA256}, {SHA384}, {SSHA384}, {SHA512}, {SSHA512}, {CRYPT}.
  * ``"hex_HASH_NAME"`` with ``HASH_NAME`` in md5, sha1, sha224, sha256, sha384, sha512.
    The hashed password in the database is compare to the hexadecimal digest of the clear
    password hashed with the corresponding algorithm.
  * ``"plain"``, the password in the database must be in clear.
  The default is ``"crypt"``.
 * ``CAS_SQL_PASSWORD_CHARSET``: Charset the SQL users passwords was hash with. This is needed to
  encode the user sended password before hashing it for comparison. The default is ``"utf-8"``.
 Ldap backend settings
 ---------------------
 Only usefull if you are using the ldap authentication backend:
 * ``CAS_LDAP_SERVER``: Address of the LDAP server. The default is ``"localhost"``.
 * ``CAS_LDAP_USER``: User bind address, for example ``"cn=admin,dc=crans,dc=org"`` for
  connecting to the LDAP server.
 * ``CAS_LDAP_PASSWORD``: Password for connecting to the LDAP server.
 * ``CAS_LDAP_BASE_DN``: LDAP search base DN, for example ``"ou=data,dc=crans,dc=org"``.
 * ``CAS_LDAP_USER_QUERY``: Search filter for searching user by username. User inputed usernames are
  escaped using ``ldap3.utils.conv.escape_bytes``. The default is ``"(uid=%s)"``
 * ``CAS_LDAP_USERNAME_ATTR``: Attribute used for users usernames. The default is ``"uid"``
 * ``CAS_LDAP_PASSWORD_ATTR``: Attribute used for users passwords. The default is ``"userPassword"``
 * ``CAS_LDAP_PASSWORD_CHECK``: The method used to check the user password. Must be one of the following:
  * ``"crypt"`` (see <https://en.wikipedia.org/wiki/Crypt_(C)>), the password in the database
    should begin this $
  * ``"ldap"`` (see https://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html)
    the password in the database must begin with one of {MD5}, {SMD5}, {SHA}, {SSHA}, {SHA256},
    {SSHA256}, {SHA384}, {SSHA384}, {SHA512}, {SSHA512}, {CRYPT}.
  * ``"hex_HASH_NAME"`` with ``HASH_NAME`` in md5, sha1, sha224, sha256, sha384, sha512.
    The hashed password in the database is compare to the hexadecimal digest of the clear
    password hashed with the corresponding algorithm.
  * ``"plain"``, the password in the database must be in clear.
  The default is ``"ldap"``.
 * ``CAS_LDAP_PASSWORD_CHARSET``: Charset the LDAP users passwords was hash with. This is needed to
  encode the user sended password before hashing it for comparison. The default is ``"utf-8"``.
 Test backend settings
 ---------------------
 Only usefull if you are using the test authentication backend:
@ -304,11 +418,17 @@ Authentication backend
  for the user are defined by the ``CAS_TEST_*`` settings.
 * django backend ``cas_server.auth.DjangoAuthUser``: Users are authenticated against django users system.
  This is the default backend. The returned attributes are the fields available on the user model.
-* mysql backend ``cas_server.auth.MysqlAuthUser``: see the 'Mysql backend settings' section.
+* mysql backend ``cas_server.auth.MysqlAuthUser``: Deprecated, use the sql backend instead.
  see the `Mysql backend settings`_ section. The returned attributes are those return by sql query
  ``CAS_SQL_USER_QUERY``.
 * sql backend ``cas_server.auth.SqlAuthUser``: see the `Sql backend settings`_ section.
  The returned attributes are those return by sql query ``CAS_SQL_USER_QUERY``.
 * ldap backend ``cas_server.auth.LdapAuthUser``: see the `Ldap backend settings`_ section.
  The returned attributes are those of the ldap node returned by the query filter ``CAS_LDAP_USER_QUERY``.
 * federated backend ``cas_server.auth.CASFederateAuth``: It is automatically used then ``CAS_FEDERATE`` is ``True``.
  You should not set it manually without setting ``CAS_FEDERATE`` to ``True``.
 Logs
 ====
--- a/cas_server/init.py
+++ b/cas_server/init.py
@ -9,5 +9,9 @@
 #
 # (c) 2015-2016 Valentin Samir
 """A django CAS server application"""
 #: version of the application
 VERSION = '0.6.2'
 #: path the the application configuration class
 default_app_config = 'cas_server.apps.CasAppConfig'
--- a/cas_server/auth.py
+++ b/cas_server/auth.py
@ -13,16 +13,25 @@
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.utils import timezone
 from django.db import connections, DatabaseError
 import warnings
 from datetime import timedelta
 from six.moves import range
 try:  # pragma: no cover
    import MySQLdb
    import MySQLdb.cursors
    from utils import check_password
 except ImportError:
    MySQLdb = None
 try:  # pragma: no cover
    import ldap3
 except ImportError:
    ldap3 = None
 from .models import FederatedUser
 from .utils import check_password, dictfetchall
 class AuthUser(object):
@ -116,19 +125,46 @@ class TestAuthUser(AuthUser):
            return {}
-class MysqlAuthUser(AuthUser):  # pragma: no cover
+class DBAuthUser(AuthUser):  # pragma: no cover
    """base class for databate based auth classes"""
    #: DB user attributes as a :class:`dict` if the username is found in the database.
    user = None
    def attributs(self):
        """
            The user attributes.
            :return: a :class:`dict` with the user attributes. Attributes may be :func:`unicode`
                or :class:`list` of :func:`unicode`. If the user do not exists, the returned
                :class:`dict` is empty.
            :rtype: dict
        """
        if self.user:
            return self.user
        else:
            return {}
 class MysqlAuthUser(DBAuthUser):  # pragma: no cover
    """
-        A mysql authentication class: authentication user agains a mysql database
+        DEPRECATED, use :class:`SqlAuthUser` instead.
        A mysql authentication class: authenticate user agains a mysql database
        :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
            class attribute. Valid value are fetched from the MySQL database set with
            ``settings.CAS_SQL_*`` settings parameters using the query
            ``settings.CAS_SQL_USER_QUERY``.
    """
    #: Mysql user attributes as a :class:`dict` if the username is found in the database.
    user = None
    def __init__(self, username):
        warnings.warn(
            (
                "MysqlAuthUser authentication class is deprecated: "
                "use cas_server.auth.SqlAuthUser instead"
            ),
            UserWarning
        )
        # see the connect function at
        # http://mysql-python.sourceforge.net/MySQLdb.html#functions-and-attributes
        # for possible mysql config parameters.
@ -169,24 +205,130 @@ class MysqlAuthUser(AuthUser):  # pragma: no cover
        else:
            return False
    def attributs(self):
        """
            The user attributes.
-            :return: a :class:`dict` with the user attributes. Attributes may be :func:`unicode`
+class SqlAuthUser(DBAuthUser):  # pragma: no cover
-                or :class:`list` of :func:`unicode`. If the user do not exists, the returned
+    """
-                :class:`dict` is empty.
+        A SQL authentication class: authenticate user agains a SQL database. The SQL database
-            :rtype: dict
+        must be configures in settings.py as ``settings.DATABASES['cas_server']``.
        :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
            class attribute. Valid value are fetched from the MySQL database set with
            ``settings.CAS_SQL_*`` settings parameters using the query
            ``settings.CAS_SQL_USER_QUERY``.
    """
    def __init__(self, username):
        if "cas_server" not in connections:
            raise RuntimeError("Please configure the 'cas_server' database in settings.DATABASES")
        for retry_nb in range(3):
            try:
                with connections["cas_server"].cursor() as curs:
                    curs.execute(settings.CAS_SQL_USER_QUERY, (username,))
                    results = dictfetchall(curs)
                    if len(results) == 1:
                        self.user = results[0]
                        super(SqlAuthUser, self).__init__(self.user['username'])
                    else:
                        super(SqlAuthUser, self).__init__(username)
                break
            except DatabaseError:
                connections["cas_server"].close()
                if retry_nb == 2:
                    raise
    def test_password(self, password):
        """
            Tests ``password`` agains the user password.
            :param unicode password: a clear text password as submited by the user.
            :return: ``True`` if :attr:`username<AuthUser.username>` is valid and ``password`` is
                correct, ``False`` otherwise.
            :rtype: bool
        """
        if self.user:
-            return self.user
+            return check_password(
                settings.CAS_SQL_PASSWORD_CHECK,
                password,
                self.user["password"],
                settings.CAS_SQL_PASSWORD_CHARSET
            )
        else:
-            return {}
+            return False
 class LdapAuthUser(DBAuthUser):  # pragma: no cover
    """
        A ldap authentication class: authenticate user against a ldap database
        :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
            class attribute. Valid value are fetched from the ldap database set with
            ``settings.CAS_LDAP_*`` settings parameters.
    """
    _conn = None
    @classmethod
    def get_conn(cls):
        """Return a connection object to the ldap database"""
        conn = cls._conn
        if conn is None or conn.closed:
            conn = ldap3.Connection(
                settings.CAS_LDAP_SERVER,
                settings.CAS_LDAP_USER,
                settings.CAS_LDAP_PASSWORD,
                auto_bind=True
            )
            cls._conn = conn
        return conn
    def __init__(self, username):
        if not ldap3:
            raise RuntimeError("Please install ldap3 before using the LdapAuthUser backend")
        # in case we got deconnected from the database, retry to connect 2 times
        for retry_nb in range(3):
            try:
                conn = self.get_conn()
                if conn.search(
                    settings.CAS_LDAP_BASE_DN,
                    settings.CAS_LDAP_USER_QUERY % ldap3.utils.conv.escape_bytes(username),
                    attributes=ldap3.ALL_ATTRIBUTES
                ) and len(conn.entries) == 1:
                    user = conn.entries[0].entry_get_attributes_dict()
                    if user.get(settings.CAS_LDAP_USERNAME_ATTR):
                        self.user = user
                        super(LdapAuthUser, self).__init__(user[settings.CAS_LDAP_USERNAME_ATTR][0])
                    else:
                        super(LdapAuthUser, self).__init__(username)
                else:
                    super(LdapAuthUser, self).__init__(username)
                break
            except ldap3.LDAPCommunicationError:
                if retry_nb == 2:
                    raise
    def test_password(self, password):
        """
            Tests ``password`` agains the user password.
            :param unicode password: a clear text password as submited by the user.
            :return: ``True`` if :attr:`username<AuthUser.username>` is valid and ``password`` is
                correct, ``False`` otherwise.
            :rtype: bool
        """
        if self.user and self.user.get(settings.CAS_LDAP_PASSWORD_ATTR):
            return check_password(
                settings.CAS_LDAP_PASSWORD_CHECK,
                password,
                self.user[settings.CAS_LDAP_PASSWORD_ATTR][0],
                settings.CAS_LDAP_PASSWORD_CHARSET
            )
        else:
            return False
 class DjangoAuthUser(AuthUser):  # pragma: no cover
    """
-        A django auth class: authenticate user agains django internal users
+        A django auth class: authenticate user against django internal users
        :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
            class attribute. Valid value are usernames of django internal users.
--- a/cas_server/cas.py
+++ b/cas_server/cas.py
@ -134,6 +134,14 @@ class CASClientBase(object):
                raise CASError(errors[0].attrib['code'], errors[0].text)
        raise CASError("Bad http code %s" % response.code)
    @staticmethod
    def get_page_charset(page, default="utf-8"):
        content_type = page.info().get('Content-type')
        if content_type and "charset=" in content_type:
            return content_type.split("charset=")[-1]
        else:
            return default
 class CASClientV1(CASClientBase, ReturnUnicode):
    """CAS Client Version 1"""
@ -146,17 +154,15 @@ class CASClientV1(CASClientBase, ReturnUnicode):
        Returns username on success and None on failure.
        """
        params = [('ticket', ticket), ('service', self.service_url)]
        if self.renew:
            params.append(('renew', 'true'))
        url = (urllib_parse.urljoin(self.server_url, 'validate') + '?' +
               urllib_parse.urlencode(params))
        page = urllib_request.urlopen(url)
        try:
            verified = page.readline().strip()
            if verified == b'yes':
-                content_type = page.info().get('Content-type')
+                charset = self.get_page_charset(page, default="ascii")
                if "charset=" in content_type:
                    charset = content_type.split("charset=")[-1]
                else:
                    charset = "ascii"
                user = self.u(page.readline().strip(), charset)
                return user, None, None
            else:
@ -183,17 +189,15 @@ class CASClientV2(CASClientBase, ReturnUnicode):
    def get_verification_response(self, ticket):
        params = [('ticket', ticket), ('service', self.service_url)]
        if self.renew:
            params.append(('renew', 'true'))
        if self.proxy_callback:
            params.append(('pgtUrl', self.proxy_callback))
        base_url = urllib_parse.urljoin(self.server_url, self.url_suffix)
        url = base_url + '?' + urllib_parse.urlencode(params)
        page = urllib_request.urlopen(url)
        try:
-            content_type = page.info().get('Content-type')
+            charset = self.get_page_charset(page)
            if "charset=" in content_type:
                charset = content_type.split("charset=")[-1]
            else:
                charset = "ascii"
            return (page.read(), charset)
        finally:
            page.close()
@ -306,11 +310,7 @@ class CASClientWithSAMLV1(CASClientV2, SingleLogoutMixin):
            from elementtree import ElementTree
        page = self.fetch_saml_validation(ticket)
-        content_type = page.info().get('Content-type')
+        charset = self.get_page_charset(page)
        if "charset=" in content_type:
            charset = content_type.split("charset=")[-1]
        else:
            charset = "ascii"
        try:
            user = None
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@ -18,6 +18,8 @@ from importlib import import_module
 #: URL to the logo showed in the up left corner on the default templates.
 CAS_LOGO_URL = static("cas_server/logo.png")
 #: URL to the favicon (shortcut icon) used by the default templates. Default is a key icon.
 CAS_FAVICON_URL = static("cas_server/favicon.ico")
 #: URLs to css and javascript external components.
 CAS_COMPONENT_URLS = {
    "bootstrap3_css": "//maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css",
@ -110,12 +112,39 @@ CAS_SQL_PASSWORD = ''
 CAS_SQL_DBNAME = ''
 #: Database charset.
 CAS_SQL_DBCHARSET = 'utf8'
 #: The query performed upon user authentication.
-CAS_SQL_USER_QUERY = 'SELECT user AS usersame, pass AS password, users.* FROM users WHERE user = %s'
+CAS_SQL_USER_QUERY = 'SELECT user AS username, pass AS password, users.* FROM users WHERE user = %s'
 #: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
 #: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
 #: ``"hex_sha512"``, ``"plain"``.
-CAS_SQL_PASSWORD_CHECK = 'crypt'  # crypt or plain
+CAS_SQL_PASSWORD_CHECK = 'crypt'
 #: charset the SQL users passwords was hash with
 CAS_SQL_PASSWORD_CHARSET = "utf-8"
 #: Address of the LDAP server
 CAS_LDAP_SERVER = 'localhost'
 #: LDAP user bind address, for example ``"cn=admin,dc=crans,dc=org"`` for connecting to the LDAP
 #: server.
 CAS_LDAP_USER = None
 #: LDAP connection password
 CAS_LDAP_PASSWORD = None
 #: LDAP seach base DN, for example ``"ou=data,dc=crans,dc=org"``.
 CAS_LDAP_BASE_DN = None
 #: LDAP search filter for searching user by username. User inputed usernames are escaped using
 #: :func:`ldap3.utils.conv.escape_bytes`.
 CAS_LDAP_USER_QUERY = "(uid=%s)"
 #: LDAP attribute used for users usernames
 CAS_LDAP_USERNAME_ATTR = "uid"
 #: LDAP attribute used for users passwords
 CAS_LDAP_PASSWORD_ATTR = "userPassword"
 #: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
 #: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
 #: ``"hex_sha512"``, ``"plain"``.
 CAS_LDAP_PASSWORD_CHECK = "ldap"
 #: charset the LDAP users passwords was hash with
 CAS_LDAP_PASSWORD_CHARSET = "utf-8"
 #: Username of the test user.
@ -140,6 +169,15 @@ CAS_FEDERATE = False
 #: Time after witch the cookie use for “remember my identity provider” expire (one week).
 CAS_FEDERATE_REMEMBER_TIMEOUT = 604800
 #: A :class:`bool` for diplaying a warning on html pages then a new version of the application
 #: is avaible. Once closed by a user, it is not displayed to this user until the next new version.
 CAS_NEW_VERSION_HTML_WARNING = True
 #: A :class:`bool` for sending emails to ``settings.ADMINS`` when a new version is available.
 CAS_NEW_VERSION_EMAIL_WARNING = True
 #: URL to the pypi json of the application. Used to retreive the version number of the last version.
 #: You should not change it.
 CAS_NEW_VERSION_JSON_URL = "https://pypi.python.org/pypi/django-cas-server/json"
 GLOBALS = globals().copy()
 for name, default_value in GLOBALS.items():
    # get the current setting value, falling back to default_value
--- a/cas_server/federate.py
+++ b/cas_server/federate.py
@ -42,13 +42,13 @@ class CASFederateValidateUser(object):
    #: the identity provider
    provider = None
-    def __init__(self, provider, service_url):
+    def __init__(self, provider, service_url, renew=False):
        self.provider = provider
        self.client = CASClient(
            service_url=service_url,
            version=provider.cas_protocol_version,
            server_url=provider.server_url,
-            renew=False,
+            renew=renew,
        )
    def get_login_url(self):
--- a/cas_server/forms.py
+++ b/cas_server/forms.py
@ -19,49 +19,56 @@ import cas_server.models as models
 class BootsrapForm(forms.Form):
-    """Form base class to use boostrap then rendering the form fields"""
+    """
        Bases: :class:`django.forms.Form`
        Form base class to use boostrap then rendering the form fields
    """
    def __init__(self, *args, **kwargs):
        super(BootsrapForm, self).__init__(*args, **kwargs)
-        for (name, field) in self.fields.items():
+        for field in self.fields.values():
            # Only tweak the fiel if it will be displayed
            if not isinstance(field.widget, forms.HiddenInput):
                # tell to display the field (used in form.html)
                self[name].display = True
                attrs = {}
-                if isinstance(field.widget, forms.CheckboxInput):
+                if not isinstance(field.widget, forms.CheckboxInput):
                    self[name].checkbox = True
                else:
                    attrs['class'] = "form-control"
-                    if field.label:
+                    if field.label:  # pragma: no branch (currently all field are hidden or labeled)
                        attrs["placeholder"] = field.label
                if field.required:
                    attrs["required"] = "required"
                field.widget.attrs.update(attrs)
-class WarnForm(BootsrapForm):
+class BaseLogin(BootsrapForm):
    """
-        Bases: :class:`django.forms.Form`
+        Bases: :class:`BootsrapForm`
-        Form used on warn page before emiting a ticket
+        Base form with all field possibly hidden on the login pages
    """
    #: The service url for which the user want a ticket
    service = forms.CharField(widget=forms.HiddenInput(), required=False)
    #: A valid LoginTicket to prevent POST replay
    lt = forms.CharField(widget=forms.HiddenInput(), required=False)
    #: Is the service asking the authentication renewal ?
    renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
    #: Url to redirect to if the authentication fail (user not authenticated or bad service)
    gateway = forms.CharField(widget=forms.HiddenInput(), required=False)
    method = forms.CharField(widget=forms.HiddenInput(), required=False)
 class WarnForm(BaseLogin):
    """
        Bases: :class:`BaseLogin`
        Form used on warn page before emiting a ticket
    """
    #: ``True`` if the user has been warned of the ticket emission
    warned = forms.BooleanField(widget=forms.HiddenInput(), required=False)
    #: A valid LoginTicket to prevent POST replay
    lt = forms.CharField(widget=forms.HiddenInput(), required=False)
-class FederateSelect(BootsrapForm):
+class FederateSelect(BaseLogin):
    """
-        Bases: :class:`django.forms.Form`
+        Bases: :class:`BaseLogin`
        Form used on the login page when ``settings.CAS_FEDERATE`` is ``True``
        allowing the user to choose an identity provider.
@ -76,39 +83,30 @@ class FederateSelect(BootsrapForm):
        to_field_name="suffix",
        label=_('Identity provider'),
    )
-    #: The service url for which the user want a ticket
+    #: A checkbox to ask to be warn before emiting a ticket for another service
-    service = forms.CharField(label=_('service'), widget=forms.HiddenInput(), required=False)
+    warn = forms.BooleanField(
-    method = forms.CharField(widget=forms.HiddenInput(), required=False)
+        label=_('Warn me before logging me into other sites.'),
        required=False
    )
    #: A checkbox to remember the user choices of :attr:`provider<FederateSelect.provider>`
    remember = forms.BooleanField(label=_('Remember the identity provider'), required=False)
    #: A checkbox to ask to be warn before emiting a ticket for another service
    warn = forms.BooleanField(label=_('warn'), required=False)
    #: Is the service asking the authentication renewal ?
    renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
-class UserCredential(BootsrapForm):
+class UserCredential(BaseLogin):
    """
-         Bases: :class:`django.forms.Form`
+         Bases: :class:`BaseLogin`
         Form used on the login page to retrive user credentials
     """
    #: The user username
-    username = forms.CharField(label=_('login'))
+    username = forms.CharField(label=_('username'))
    #: The service url for which the user want a ticket
    service = forms.CharField(label=_('service'), widget=forms.HiddenInput(), required=False)
    #: The user password
    password = forms.CharField(label=_('password'), widget=forms.PasswordInput)
    #: A valid LoginTicket to prevent POST replay
    lt = forms.CharField(widget=forms.HiddenInput(), required=False)
    method = forms.CharField(widget=forms.HiddenInput(), required=False)
    #: A checkbox to ask to be warn before emiting a ticket for another service
-    warn = forms.BooleanField(label=_('warn'), required=False)
+    warn = forms.BooleanField(
-    #: Is the service asking the authentication renewal ?
+        label=_('Warn me before logging me into other sites.'),
-    renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
+        required=False
-
+    )
    def __init__(self, *args, **kwargs):
        super(UserCredential, self).__init__(*args, **kwargs)
    def clean(self):
        """
@ -124,7 +122,9 @@ class UserCredential(BootsrapForm):
        if auth.test_password(cleaned_data.get("password")):
            cleaned_data["username"] = auth.username
        else:
-            raise forms.ValidationError(_(u"Bad user"))
+            raise forms.ValidationError(
                _(u"The credentials you provided cannot be determined to be authentic.")
            )
        return cleaned_data
@ -148,21 +148,13 @@ class FederateUserCredential(UserCredential):
        This stub authentication form, allow to implement the federated mode with very few
        modificatons to the :class:`LoginView<cas_server.views.LoginView>` view.
    """
-    #: the user username with the ``@`` component
+
-    username = forms.CharField(widget=forms.HiddenInput())
+    def __init__(self, *args, **kwargs):
-    #: The service url for which the user want a ticket
+        super(FederateUserCredential, self).__init__(*args, **kwargs)
-    service = forms.CharField(widget=forms.HiddenInput(), required=False)
+        # All fields are hidden and auto filled by the /login view logic
-    #: The ``ticket`` used to authenticate the user against a provider
+        for name, field in self.fields.items():
-    password = forms.CharField(widget=forms.HiddenInput())
+            field.widget = forms.HiddenInput()
-    #: alias of :attr:`password`
+            self[name].display = False
    ticket = forms.CharField(widget=forms.HiddenInput())
    #: A valid LoginTicket to prevent POST replay
    lt = forms.CharField(widget=forms.HiddenInput(), required=False)
    method = forms.CharField(widget=forms.HiddenInput(), required=False)
    #: Has the user asked to be warn before emiting a ticket for another service
    warn = forms.BooleanField(widget=forms.HiddenInput(), required=False)
    #: Is the service asking the authentication renewal ?
    renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
    def clean(self):
        """
--- a/cas_server/locale/en/LC_MESSAGES/django.mo
+++ b/cas_server/locale/en/LC_MESSAGES/django.mo
--- a/cas_server/locale/en/LC_MESSAGES/django.po
+++ b/cas_server/locale/en/LC_MESSAGES/django.po
@ -1,371 +0,0 @@
 # SOME DESCRIPTIVE TITLE.
 # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
 # This file is distributed under the same license as the PACKAGE package.
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: cas_server\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2016-07-04 17:36+0200\n"
 "PO-Revision-Date: 2016-07-04 17:39+0200\n"
 "Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
 "Language-Team: django <LL@li.org>\n"
 "Language: en\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "X-Generator: Poedit 1.8.8\n"
 #: apps.py:19 templates/cas_server/base.html:3
 #: templates/cas_server/base.html:20
 msgid "Central Authentication Service"
 msgstr "Central Authentication Service"
 #: forms.py:43
 msgid "Identity provider"
 msgstr "Identity provider"
 #: forms.py:45 forms.py:55 forms.py:106
 msgid "service"
 msgstr ""
 #: forms.py:47
 msgid "Remember the identity provider"
 msgstr "Remember the identity provider"
 #: forms.py:48 forms.py:59
 msgid "warn"
 msgstr " Warn me before logging me into other sites."
 #: forms.py:54
 msgid "login"
 msgstr "username"
 #: forms.py:56
 msgid "password"
 msgstr "password"
 #: forms.py:71
 msgid "Bad user"
 msgstr "The credentials you provided cannot be determined to be authentic."
 #: forms.py:96
 msgid "User not found in the temporary database, please try to reconnect"
 msgstr ""
 #: management/commands/cas_clean_federate.py:20
 msgid "Clean old federated users"
 msgstr "Clean old federated users"
 #: management/commands/cas_clean_sessions.py:22
 msgid "Clean deleted sessions"
 msgstr "Clean deleted sessions"
 #: management/commands/cas_clean_tickets.py:22
 msgid "Clean old trickets"
 msgstr "Clean old trickets"
 #: models.py:42
 msgid "identity provider"
 msgstr "identity provider"
 #: models.py:43
 msgid "identity providers"
 msgstr "identity providers"
 #: models.py:47
 msgid "suffix"
 msgstr ""
 #: models.py:48
 msgid ""
 "Suffix append to backend CAS returner username: `returned_username`@`suffix`"
 msgstr ""
 #: models.py:50
 msgid "server url"
 msgstr ""
 #: models.py:59
 msgid "CAS protocol version"
 msgstr ""
 #: models.py:60
 msgid ""
 "Version of the CAS protocol to use when sending requests the the backend CAS"
 msgstr ""
 #: models.py:65
 msgid "verbose name"
 msgstr ""
 #: models.py:66
 msgid "Name for this identity provider displayed on the login page"
 msgstr ""
 #: models.py:70 models.py:317
 msgid "position"
 msgstr "position"
 #: models.py:80
 msgid "display"
 msgstr ""
 #: models.py:81
 msgid "Display the provider on the login page"
 msgstr ""
 #: models.py:164
 msgid "User"
 msgstr ""
 #: models.py:165
 msgid "Users"
 msgstr ""
 #: models.py:234
 #, python-format
 msgid "Error during service logout %s"
 msgstr "Error during service logout %s"
 #: models.py:312
 msgid "Service pattern"
 msgstr "Service pattern"
 #: models.py:313
 msgid "Services patterns"
 msgstr ""
 #: models.py:318
 msgid "service patterns are sorted using the position attribute"
 msgstr ""
 #: models.py:325 models.py:449
 msgid "name"
 msgstr "name"
 #: models.py:326
 msgid "A name for the service"
 msgstr "A name for the service"
 #: models.py:331 models.py:478 models.py:497
 msgid "pattern"
 msgstr "pattern"
 #: models.py:333
 msgid ""
 "A regular expression matching services. Will usually looks like '^https://"
 "some\\.server\\.com/path/.*$'.As it is a regular expression, special "
 "character must be escaped with a '\\'."
 msgstr ""
 "A regular expression matching services. Will usually looks like '^https://"
 "some\\.server\\.com/path/.*$'.As it is a regular expression, special "
 "character must be escaped with a '\\'."
 #: models.py:342
 msgid "user field"
 msgstr ""
 #: models.py:343
 msgid "Name of the attribut to transmit as username, empty = login"
 msgstr "Name of the attribut to transmit as username, empty = login"
 #: models.py:347
 msgid "restrict username"
 msgstr ""
 #: models.py:348
 msgid "Limit username allowed to connect to the list provided bellow"
 msgstr "Limit username allowed to connect to the list provided bellow"
 #: models.py:352
 msgid "proxy"
 msgstr "proxy"
 #: models.py:353
 msgid "Proxy tickets can be delivered to the service"
 msgstr "Proxy tickets can be delivered to the service"
 #: models.py:357
 msgid "proxy callback"
 msgstr "proxy callback"
 #: models.py:358
 msgid "can be used as a proxy callback to deliver PGT"
 msgstr "can be used as a proxy callback to deliver PGT"
 #: models.py:362
 msgid "single log out"
 msgstr ""
 #: models.py:363
 msgid "Enable SLO for the service"
 msgstr "Enable SLO for the service"
 #: models.py:370
 msgid "single log out callback"
 msgstr ""
 #: models.py:371
 msgid ""
 "URL where the SLO request will be POST. empty = service url\n"
 "This is usefull for non HTTP proxied services."
 msgstr ""
 #: models.py:433
 msgid "username"
 msgstr ""
 #: models.py:434
 msgid "username allowed to connect to the service"
 msgstr "username allowed to connect to the service"
 #: models.py:450
 msgid "name of an attribut to send to the service, use * for all attributes"
 msgstr "name of an attribut to send to the service, use * for all attributes"
 #: models.py:455 models.py:503
 msgid "replace"
 msgstr "replace"
 #: models.py:456
 msgid ""
 "name under which the attribut will be showto the service. empty = default "
 "name of the attribut"
 msgstr ""
 "name under which the attribut will be showto the service. empty = default "
 "name of the attribut"
 #: models.py:473 models.py:492
 msgid "attribut"
 msgstr "attribut"
 #: models.py:474
 msgid "Name of the attribut which must verify pattern"
 msgstr "Name of the attribut which must verify pattern"
 #: models.py:479
 msgid "a regular expression"
 msgstr "a regular expression"
 #: models.py:493
 msgid "Name of the attribut for which the value must be replace"
 msgstr "Name of the attribut for which the value must be replace"
 #: models.py:498
 msgid "An regular expression maching whats need to be replaced"
 msgstr "An regular expression maching whats need to be replaced"
 #: models.py:504
 msgid "replace expression, groups are capture by \\1, \\2 …"
 msgstr "replace expression, groups are capture by \\1, \\2 …"
 #: templates/cas_server/logged.html:6
 msgid "Logged"
 msgstr ""
 "<h3>Log In Successful</h3>You have successfully logged into the Central "
 "Authentication Service.<br/>For security reasons, please Log Out and Exit "
 "your web browser when you are done accessing services that require "
 "authentication!"
 #: templates/cas_server/logged.html:10
 msgid "Log me out from all my sessions"
 msgstr "Log me out from all my sessions"
 #: templates/cas_server/logged.html:13
 msgid "Logout"
 msgstr "Logout"
 #: templates/cas_server/login.html:8
 msgid "Please log in"
 msgstr "Please log in"
 #: templates/cas_server/login.html:13
 msgid "Login"
 msgstr "Login"
 #: templates/cas_server/warn.html:10
 msgid "Connect to the service"
 msgstr "Connect to the service"
 #: views.py:152
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
 msgstr ""
 "<h3>Logout successful</h3>You have successfully logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
 #: views.py:158
 #, python-format
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from %s sessions "
 "of the Central Authentication Service. For security reasons, exit your web "
 "browser."
 msgstr ""
 "<h3>Logout successful</h3>You have successfully logged out from %s sessions "
 "of the Central Authentication Service. For security reasons, exit your web "
 "browser."
 #: views.py:165
 msgid ""
 "<h3>Logout successful</h3>You were already logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
 msgstr ""
 "<h3>Logout successful</h3>You were already logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
 #: views.py:349
 msgid "Invalid login ticket"
 msgstr "Invalid login ticket, please retry to login"
 #: views.py:470
 #, python-format
 msgid "Authentication has been required by service %(name)s (%(url)s)"
 msgstr "Authentication has been required by service %(name)s (%(url)s)"
 #: views.py:508
 #, python-format
 msgid "Service %(url)s non allowed."
 msgstr "Service %(url)s non allowed."
 #: views.py:515
 msgid "Username non allowed"
 msgstr "Username non allowed"
 #: views.py:522
 msgid "User charateristics non allowed"
 msgstr "User charateristics non allowed"
 #: views.py:529
 #, python-format
 msgid "The attribut %(field)s is needed to use that service"
 msgstr "The attribut %(field)s is needed to use that service"
 #: views.py:599
 #, python-format
 msgid "Authentication renewal required by service %(name)s (%(url)s)."
 msgstr "Authentication renewal required by service %(name)s (%(url)s)."
 #: views.py:606
 #, python-format
 msgid "Authentication required by service %(name)s (%(url)s)."
 msgstr "Authentication required by service %(name)s (%(url)s)."
 #: views.py:613
 #, python-format
 msgid "Service %s non allowed"
 msgstr "Service %s non allowed"
 #~ msgid ""
 #~ "Error during service logout %(service)s:\n"
 #~ "%(error)s"
 #~ msgstr ""
 #~ "Error during service logout %(service)s:\n"
 #~ "%(error)s"
 #~ msgid "Successfully logout"
 #~ msgstr ""
 #~ "<h3>Logout successful</h3>You have successfully logged out of the Central "
 #~ "Authentication Service.</br>For security reasons, exit your web browser."
--- a/cas_server/locale/fr/LC_MESSAGES/django.mo
+++ b/cas_server/locale/fr/LC_MESSAGES/django.mo
--- a/cas_server/locale/fr/LC_MESSAGES/django.po
+++ b/cas_server/locale/fr/LC_MESSAGES/django.po
@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: cas_server\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-07-04 17:36+0200\n"
+"POT-Creation-Date: 2016-08-01 12:01+0200\n"
-"PO-Revision-Date: 2016-07-04 17:37+0200\n"
+"PO-Revision-Date: 2016-08-01 12:01+0200\n"
 "Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
 "Language-Team: django <LL@li.org>\n"
 "Language: fr\n"
@ -18,45 +18,45 @@ msgstr ""
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"
 "X-Generator: Poedit 1.8.8\n"
-#: apps.py:19 templates/cas_server/base.html:3
+#: apps.py:25 templates/cas_server/base.html:9
-#: templates/cas_server/base.html:20
+#: templates/cas_server/base.html:27
 msgid "Central Authentication Service"
 msgstr "Service Central d'Authentification"
-#: forms.py:43
+#: forms.py:88
 msgid "Identity provider"
 msgstr "fournisseur d'identité"
-#: forms.py:45 forms.py:55 forms.py:106
+#: forms.py:92 forms.py:111
-msgid "service"
+msgid "Warn me before logging me into other sites."
-msgstr "service"
+msgstr "Prévenez-moi avant d'accéder à d'autres services."
-#: forms.py:47
+#: forms.py:96
 msgid "Remember the identity provider"
 msgstr "Se souvenir du fournisseur d'identité"
-#: forms.py:48 forms.py:59
+#: forms.py:106 models.py:600
-msgid "warn"
+msgid "username"
-msgstr "Prévenez-moi avant d'accéder à d'autres services."
+msgstr "nom d'utilisateur"
-#: forms.py:54
+#: forms.py:108
 msgid "login"
 msgstr "Identifiant"
 #: forms.py:56
 msgid "password"
 msgstr "mot de passe"
-#: forms.py:71
+#: forms.py:130
-msgid "Bad user"
+msgid "The credentials you provided cannot be determined to be authentic."
 msgstr "Les informations transmises n'ont pas permis de vous authentifier."
-#: forms.py:96
+#: forms.py:182
 msgid "User not found in the temporary database, please try to reconnect"
 msgstr ""
 "Utilisateur non trouvé dans la base de donnée temporaire, essayez de vous "
 "reconnecter"
 #: forms.py:196
 msgid "service"
 msgstr "service"
 #: management/commands/cas_clean_federate.py:20
 msgid "Clean old federated users"
 msgstr "Nettoyer les anciens utilisateurs fédéré"
@ -69,98 +69,99 @@ msgstr "Nettoyer les sessions supprimées"
 msgid "Clean old trickets"
 msgstr "Nettoyer les vieux tickets"
-#: models.py:42
+#: models.py:46
 msgid "identity provider"
 msgstr "fournisseur d'identité"
-#: models.py:43
+#: models.py:47
 msgid "identity providers"
 msgstr "fournisseurs d'identités"
-#: models.py:47
+#: models.py:53
 msgid "suffix"
 msgstr "suffixe"
-#: models.py:48
+#: models.py:55
 msgid ""
-"Suffix append to backend CAS returner username: `returned_username`@`suffix`"
+"Suffix append to backend CAS returned username: ``returned_username`` @ "
 "``suffix``."
 msgstr ""
 "Suffixe ajouté au nom d'utilisateur retourné par le CAS du fournisseur "
-"d'identité : `nom retourné`@`suffixe`"
+"d'identité : `nom retourné`@`suffixe`."
-#: models.py:50
+#: models.py:62
 msgid "server url"
 msgstr "url du serveur"
-#: models.py:59
+#: models.py:72
 msgid "CAS protocol version"
 msgstr "Version du protocole CAS"
-#: models.py:60
+#: models.py:74
 msgid ""
-"Version of the CAS protocol to use when sending requests the the backend CAS"
+"Version of the CAS protocol to use when sending requests the the backend CAS."
 msgstr ""
 "Version du protocole CAS à utiliser lorsque l'on envoie des requête au CAS "
-"du fournisseur d'identité"
+"du fournisseur d'identité."
-#: models.py:65
+#: models.py:81
 msgid "verbose name"
 msgstr "Nom du fournisseur"
-#: models.py:66
+#: models.py:82
-msgid "Name for this identity provider displayed on the login page"
+msgid "Name for this identity provider displayed on the login page."
-msgstr "Nom affiché pour ce fournisseur d'identité sur la page de connexion"
+msgstr "Nom affiché pour ce fournisseur d'identité sur la page de connexion."
-#: models.py:70 models.py:317
+#: models.py:88 models.py:446
 msgid "position"
 msgstr "position"
-#: models.py:80
+#: models.py:102
 msgid "display"
 msgstr "afficher"
-#: models.py:81
+#: models.py:103
-msgid "Display the provider on the login page"
+msgid "Display the provider on the login page."
-msgstr "Afficher le fournisseur d'identité sur la page de connexion"
+msgstr "Afficher le fournisseur d'identité sur la page de connexion."
-#: models.py:164
+#: models.py:233
 msgid "User"
 msgstr "Utilisateur"
-#: models.py:165
+#: models.py:234
 msgid "Users"
 msgstr "Utilisateurs"
-#: models.py:234
+#: models.py:320
 #, python-format
 msgid "Error during service logout %s"
 msgstr "Une erreur est survenue durant la déconnexion du service %s"
-#: models.py:312
+#: models.py:440
 msgid "Service pattern"
 msgstr "Motif de service"
-#: models.py:313
+#: models.py:441
 msgid "Services patterns"
 msgstr "Motifs de services"
-#: models.py:318
+#: models.py:447
 msgid "service patterns are sorted using the position attribute"
 msgstr "Les motifs de service sont trié selon l'attribut position"
-#: models.py:325 models.py:449
+#: models.py:455 models.py:626
 msgid "name"
 msgstr "nom"
-#: models.py:326
+#: models.py:456
 msgid "A name for the service"
 msgstr "Un nom pour le service"
-#: models.py:331 models.py:478 models.py:497
+#: models.py:464 models.py:669 models.py:698
 msgid "pattern"
 msgstr "motif"
-#: models.py:333
+#: models.py:466
 msgid ""
 "A regular expression matching services. Will usually looks like '^https://"
 "some\\.server\\.com/path/.*$'.As it is a regular expression, special "
@ -171,55 +172,55 @@ msgstr ""
 "expression rationnelle, les caractères spéciaux doivent être échappés avec "
 "un '\\'."
-#: models.py:342
+#: models.py:476
 msgid "user field"
 msgstr "champ utilisateur"
-#: models.py:343
+#: models.py:477
-msgid "Name of the attribut to transmit as username, empty = login"
+msgid "Name of the attribute to transmit as username, empty = login"
 msgstr ""
 "Nom de l'attribut devant être transmis comme nom d'utilisateur au service. "
-"vide = nom de connection"
+"vide = nom de connexion"
-#: models.py:347
+#: models.py:482
 msgid "restrict username"
 msgstr "limiter les noms d'utilisateurs"
-#: models.py:348
+#: models.py:483
 msgid "Limit username allowed to connect to the list provided bellow"
 msgstr ""
 "Limiter les noms d'utilisateurs autorisé à se connecter à la liste fournie "
 "ci-dessous"
-#: models.py:352
+#: models.py:488
 msgid "proxy"
 msgstr "proxy"
-#: models.py:353
+#: models.py:489
 msgid "Proxy tickets can be delivered to the service"
 msgstr "des proxy tickets peuvent être délivrés au service"
-#: models.py:357
+#: models.py:495
 msgid "proxy callback"
 msgstr ""
-#: models.py:358
+#: models.py:496
 msgid "can be used as a proxy callback to deliver PGT"
 msgstr "peut être utilisé comme un callback pour recevoir un PGT"
-#: models.py:362
+#: models.py:503
 msgid "single log out"
 msgstr ""
-#: models.py:363
+#: models.py:504
 msgid "Enable SLO for the service"
 msgstr "Active le SLO pour le service"
-#: models.py:370
+#: models.py:512
 msgid "single log out callback"
 msgstr ""
-#: models.py:371
+#: models.py:513
 msgid ""
 "URL where the SLO request will be POST. empty = service url\n"
 "This is usefull for non HTTP proxied services."
@ -228,83 +229,98 @@ msgstr ""
 "service\n"
 "Ceci n'est utilise que pour des services non HTTP proxifiés"
-#: models.py:433
+#: models.py:601
 msgid "username"
 msgstr "nom d'utilisateur"
 #: models.py:434
 msgid "username allowed to connect to the service"
 msgstr "noms d'utilisateurs autorisé à se connecter au service"
-#: models.py:450
+#: models.py:627
-msgid "name of an attribut to send to the service, use * for all attributes"
+msgid "name of an attribute to send to the service, use * for all attributes"
 msgstr ""
 "nom d'un attribut a envoyer au service, utiliser * pour tous les attributs"
-#: models.py:455 models.py:503
+#: models.py:634 models.py:705
 msgid "replace"
 msgstr "remplacement"
-#: models.py:456
+#: models.py:635
 msgid ""
-"name under which the attribut will be showto the service. empty = default "
+"name under which the attribute will be showto the service. empty = default "
 "name of the attribut"
 msgstr ""
 "nom sous lequel l'attribut sera rendu visible au service. vide = inchangé"
-#: models.py:473 models.py:492
+#: models.py:662 models.py:692
-msgid "attribut"
+msgid "attribute"
 msgstr "attribut"
-#: models.py:474
+#: models.py:663
-msgid "Name of the attribut which must verify pattern"
+msgid "Name of the attribute which must verify pattern"
 msgstr "Nom de l'attribut devant vérifier un motif"
-#: models.py:479
+#: models.py:670
 msgid "a regular expression"
 msgstr "une expression régulière"
-#: models.py:493
+#: models.py:693
-msgid "Name of the attribut for which the value must be replace"
+msgid "Name of the attribute for which the value must be replace"
-msgstr "nom de l'attribue pour lequel la valeur doit être remplacé"
+msgstr "nom de l'attribut pour lequel la valeur doit être remplacé"
-#: models.py:498
+#: models.py:699
 msgid "An regular expression maching whats need to be replaced"
 msgstr "une expression régulière reconnaissant ce qui doit être remplacé"
-#: models.py:504
+#: models.py:706
 msgid "replace expression, groups are capture by \\1, \\2 …"
 msgstr "expression de remplacement, les groupe sont capturé par \\1, \\2"
-#: templates/cas_server/logged.html:6
+#: templates/cas_server/base.html:38
-msgid "Logged"
+#, python-format
 msgid ""
 "A new version of the application is available. This instance runs "
 "%(VERSION)s and the last version is %(LAST_VERSION)s. Please consider "
 "upgrading."
 msgstr ""
-"<h3>Connexion réussie</h3>Vous vous êtes authentifié(e) auprès du Service "
+"Une nouvelle version de l'application est disponible. Cette instance utilise "
-"Central d'Authentification.<br/>Pour des raisons de sécurité, veuillez vous "
+"la version %(VERSION)s et la dernière version est %(LAST_VERSION)s. Merci de "
-"déconnecter et fermer votre navigateur lorsque vous avez fini d'accéder aux "
+"vous mettre a jour."
 "services authentifiés."
-#: templates/cas_server/logged.html:10
+#: templates/cas_server/logged.html:4
 msgid ""
 "<h3>Log In Successful</h3>You have successfully logged into the Central "
 "Authentication Service.<br/>For security reasons, please Log Out and Exit "
 "your web browser when you are done accessing services that require "
 "authentication!"
 msgstr ""
 "<h3>Déconnexion réussie</h3>Vous vous êtes déconnecté(e) du Service Central "
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur après avoir fini d'accéder a des services demandant une "
 "authentification !"
 #: templates/cas_server/logged.html:8
 msgid "Log me out from all my sessions"
 msgstr "Me déconnecter de toutes mes sessions"
-#: templates/cas_server/logged.html:13
+#: templates/cas_server/logged.html:14
 msgid "Forget the identity provider"
 msgstr "Oublier le fournisseur d'identité"
 #: templates/cas_server/logged.html:18
 msgid "Logout"
 msgstr "Se déconnecter"
-#: templates/cas_server/login.html:8
+#: templates/cas_server/login.html:6
 msgid "Please log in"
 msgstr "Merci de se connecter"
-#: templates/cas_server/login.html:13
+#: templates/cas_server/login.html:14
 msgid "Login"
 msgstr "Connexion"
-#: templates/cas_server/warn.html:10
+#: templates/cas_server/warn.html:9
 msgid "Connect to the service"
 msgstr "Se connecter au service"
-#: views.py:152
+#: views.py:168
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
@ -313,7 +329,7 @@ msgstr ""
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur."
-#: views.py:158
+#: views.py:174
 #, python-format
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from %s sessions "
@ -324,7 +340,7 @@ msgstr ""
 "Service Central d'Authentification. Pour des raisons de sécurité, veuillez "
 "fermer votre navigateur."
-#: views.py:165
+#: views.py:181
 msgid ""
 "<h3>Logout successful</h3>You were already logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
@ -333,50 +349,75 @@ msgstr ""
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur."
-#: views.py:349
+#: views.py:361
-msgid "Invalid login ticket"
+#, python-format
 msgid ""
 "Invalid response from your identity provider CAS upon ticket %(ticket)s "
 "validation: %(error)r"
 msgstr ""
 "Réponse invalide du CAS du fournisseur d'identité lors de la validation du "
 "ticket %(ticket)s: %(error)r"
 #: views.py:483
 msgid "Invalid login ticket, please retry to login"
 msgstr "Ticket de connexion invalide, merci de réessayé de vous connecter"
-#: views.py:470
+#: views.py:675
 #, python-format
 msgid "Authentication has been required by service %(name)s (%(url)s)"
 msgstr ""
 "Une demande d'authentification a été émise pour le service %(name)s "
 "(%(url)s)."
-#: views.py:508
+#: views.py:713
 #, python-format
 msgid "Service %(url)s non allowed."
 msgstr "le service %(url)s n'est pas autorisé."
-#: views.py:515
+#: views.py:720
 msgid "Username non allowed"
 msgstr "Nom d'utilisateur non authorisé"
-#: views.py:522
+#: views.py:727
-msgid "User charateristics non allowed"
+msgid "User characteristics non allowed"
 msgstr "Caractéristique utilisateur non autorisée"
-#: views.py:529
+#: views.py:734
 #, python-format
-msgid "The attribut %(field)s is needed to use that service"
+msgid "The attribute %(field)s is needed to use that service"
 msgstr "L'attribut %(field)s est nécessaire pour se connecter à ce service"
-#: views.py:599
+#: views.py:824
 #, python-format
 msgid "Authentication renewal required by service %(name)s (%(url)s)."
 msgstr "Demande de réauthentification pour le service %(name)s (%(url)s)."
-#: views.py:606
+#: views.py:831
 #, python-format
 msgid "Authentication required by service %(name)s (%(url)s)."
 msgstr "Authentification requise par le service %(name)s (%(url)s)."
-#: views.py:613
+#: views.py:838
 #, python-format
 msgid "Service %s non allowed"
 msgstr "Le service %s n'est pas autorisé"
 #~ msgid "Logged"
 #~ msgstr ""
 #~ "<h3>Connexion réussie</h3>Vous vous êtes authentifié(e) auprès du Service "
 #~ "Central d'Authentification.<br/>Pour des raisons de sécurité, veuillez "
 #~ "vous déconnecter et fermer votre navigateur lorsque vous avez fini "
 #~ "d'accéder aux services authentifiés."
 #~ msgid "warn"
 #~ msgstr "Prévenez-moi avant d'accéder à d'autres services."
 #~ msgid "login"
 #~ msgstr "Identifiant"
 #~ msgid "Bad user"
 #~ msgstr "Les informations transmises n'ont pas permis de vous authentifier."
 #~ msgid ""
 #~ "Error during service logout %(service)s:\n"
 #~ "%(error)s"
--- a/cas_server/management/commands/cas_clean_sessions.py
+++ b/cas_server/management/commands/cas_clean_sessions.py
@ -23,3 +23,4 @@ class Command(BaseCommand):
    def handle(self, *args, **options):
        models.User.clean_deleted_sessions()
        models.NewVersionWarning.send_mails()
--- a/cas_server/migrations/0008_newversionwarning.py
+++ b/cas_server/migrations/0008_newversionwarning.py
@ -0,0 +1,22 @@
 # -*- coding: utf-8 -*-
 # Generated by Django 1.9.7 on 2016-07-27 21:59
 from __future__ import unicode_literals
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('cas_server', '0007_auto_20160723_2252'),
    ]
    operations = [
        migrations.CreateModel(
            name='NewVersionWarning',
            fields=[
                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
                ('version', models.CharField(max_length=255)),
            ],
        ),
    ]
--- a/cas_server/models.py
+++ b/cas_server/models.py
@ -18,15 +18,18 @@ from django.contrib import messages
 from django.utils.translation import ugettext_lazy as _
 from django.utils import timezone
 from django.utils.encoding import python_2_unicode_compatible
 from django.core.mail import send_mail
 import re
 import sys
 import smtplib
 import logging
 from datetime import timedelta
 from concurrent.futures import ThreadPoolExecutor
 from requests_futures.sessions import FuturesSession
 import cas_server.utils as utils
 from . import VERSION
 #: logger facility
 logger = logging.getLogger(__name__)
@ -465,13 +468,13 @@ class ServicePattern(models.Model):
            "As it is a regular expression, special character must be escaped with a '\\'."
        )
    )
-    #: Name of the attribut to transmit as username, if empty the user login is used
+    #: Name of the attribute to transmit as username, if empty the user login is used
    user_field = models.CharField(
        max_length=255,
        default="",
        blank=True,
        verbose_name=_(u"user field"),
-        help_text=_("Name of the attribut to transmit as username, empty = login")
+        help_text=_("Name of the attribute to transmit as username, empty = login")
    )
    #: A boolean allowing to limit username allowed to connect to :attr:`usernames`.
    restrict_users = models.BooleanField(
@ -621,7 +624,7 @@ class ReplaceAttributName(models.Model):
    name = models.CharField(
        max_length=255,
        verbose_name=_(u"name"),
-        help_text=_(u"name of an attribut to send to the service, use * for all attributes")
+        help_text=_(u"name of an attribute to send to the service, use * for all attributes")
    )
    #: The name of the attribute to transmit to the service. If empty, the value of :attr:`name`
    #: is used.
@ -629,7 +632,7 @@ class ReplaceAttributName(models.Model):
        max_length=255,
        blank=True,
        verbose_name=_(u"replace"),
-        help_text=_(u"name under which the attribut will be show"
+        help_text=_(u"name under which the attribute will be show"
                    u"to the service. empty = default name of the attribut")
    )
    #: ForeignKey to a :class:`ServicePattern`. :class:`ReplaceAttributName` instances for a
@ -656,8 +659,8 @@ class FilterAttributValue(models.Model):
    #: The name of a user attribute
    attribut = models.CharField(
        max_length=255,
-        verbose_name=_(u"attribut"),
+        verbose_name=_(u"attribute"),
-        help_text=_(u"Name of the attribut which must verify pattern")
+        help_text=_(u"Name of the attribute which must verify pattern")
    )
    #: A regular expression the attribute :attr:`attribut` value must verify. If :attr:`attribut`
    #: if a list, only one of the list values needs to match.
@ -686,8 +689,8 @@ class ReplaceAttributValue(models.Model):
    #: Name the attribute: a key of :attr:`User.attributs`
    attribut = models.CharField(
        max_length=255,
-        verbose_name=_(u"attribut"),
+        verbose_name=_(u"attribute"),
-        help_text=_(u"Name of the attribut for which the value must be replace")
+        help_text=_(u"Name of the attribute for which the value must be replace")
    )
    #: A regular expression matching the part of the attribute value that need to be changed
    pattern = models.CharField(
@ -1003,3 +1006,60 @@ class Proxy(models.Model):
    def __str__(self):
        return self.url
 class NewVersionWarning(models.Model):
    """
        Bases: :class:`django.db.models.Model`
        The last new version available version sent
    """
    version = models.CharField(max_length=255)
    @classmethod
    def send_mails(cls):
        """
            For each new django-cas-server version, if the current instance is not up to date
            send one mail to ``settings.ADMINS``.
        """
        if settings.CAS_NEW_VERSION_EMAIL_WARNING and settings.ADMINS:
            try:
                obj = cls.objects.get()
            except cls.DoesNotExist:
                obj = NewVersionWarning.objects.create(version=VERSION)
            LAST_VERSION = utils.last_version()
            if LAST_VERSION is not None and LAST_VERSION != obj.version:
                if utils.decode_version(VERSION) < utils.decode_version(LAST_VERSION):
                    try:
                        send_mail(
                            (
                                '%sA new version of django-cas-server is available'
                            ) % settings.EMAIL_SUBJECT_PREFIX,
                            u'''
 A new version of the django-cas-server is available.
 Your version: %s
 New version: %s
 Upgrade using:
    * pip install -U django-cas-server
    * fetching the last release on
      https://github.com/nitmir/django-cas-server/ or on
      https://pypi.python.org/pypi/django-cas-server
 After upgrade, do not forget to run:
    * ./manage.py migrate
    * ./manage.py collectstatic
 and to reload your wsgi server (apache2, uwsgi, gunicord, etc…)
 --\u0020
 django-cas-server
 '''.strip() % (VERSION, LAST_VERSION),
                            settings.SERVER_EMAIL,
                            ["%s <%s>" % admin for admin in settings.ADMINS],
                            fail_silently=False,
                        )
                        obj.version = LAST_VERSION
                        obj.save()
                    except smtplib.SMTPException as error:  # pragma: no cover (should not happen)
                        logger.error("Unable to send new version mail: %s" % error)
--- a/cas_server/static/cas_server/alert-version.js
+++ b/cas_server/static/cas_server/alert-version.js
@ -0,0 +1,27 @@
 function alert_version(last_version){
    jQuery(function( $ ){
        $("#alert-version").click(function( e ){
            e.preventDefault();
            var date = new Date();
            date.setTime(date.getTime()+(10*365*24*60*60*1000));
            var expires = "; expires="+date.toGMTString();
            document.cookie = "cas-alert-version=" + last_version + expires + "; path=/";
        });
        var nameEQ="cas-alert-version=";
        var ca = document.cookie.split(";");
        var value;
        for(var i=0;i < ca.length;i++) {
            var c = ca[i];
            while(c.charAt(0) === " "){
                c = c.substring(1,c.length);
            }
            if(c.indexOf(nameEQ) === 0){
                value = c.substring(nameEQ.length,c.length);
            }
        }
        if(value === last_version){
            $("#alert-version").parent().hide();
        }
    });
 }
--- a/cas_server/static/cas_server/styles.css
+++ b/cas_server/static/cas_server/styles.css
--- a/cas_server/templates/cas_server/base.html
+++ b/cas_server/templates/cas_server/base.html
@ -14,8 +14,8 @@
        <script src="{{settings.CAS_COMPONENT_URLS.html5shiv}}"></script>
        <script src="{{settings.CAS_COMPONENT_URLS.respond}}"></script>
        <![endif]-->
-        <link rel="shortcut icon" href="{% static "cas_server/favicon.ico?v=1" %}" />
+        {% if settings.CAS_FAVICON_URL %}<link rel="shortcut icon" href="{{settings.CAS_FAVICON_URL}}" />{% endif %}
-        <link href="{% static "cas_server/login.css" %}" rel="stylesheet">
+        <link href="{% static "cas_server/styles.css" %}" rel="stylesheet">
    </head>
    <body>
        <div class="container">
@ -31,23 +31,28 @@
            <div class="row">
            <div class="col-lg-3 col-md-3 col-sm-2 col-xs-12"></div>
            <div class="col-lg-6 col-md-6 col-sm-8 col-xs-12">
            {% block ante_messages %}{% endblock %}
            {% if auto_submit %}<noscript>{% endif %}
            {% if settings.CAS_NEW_VERSION_HTML_WARNING and upgrade_available %}
              <div class="alert alert-info alert-dismissable">
                <button type="button" class="close" data-dismiss="alert" aria-hidden="true" id="alert-version">&#215;</button>
                {% blocktrans %}A new version of the application is available. This instance runs {{VERSION}} and the last version is {{LAST_VERSION}}. Please consider upgrading.{% endblocktrans %}
              </div>
            {% endif %}
            {% block ante_messages %}{% endblock %}
            {% for message in messages %}
                <div {% spaceless %}
                    {% if message.level == message_levels.DEBUG %}
-                        class="alert alert-warning alert-dismissable"
+                        class="alert alert-warning"
                    {% elif message.level == message_levels.INFO %}
-                        class="alert alert-info alert-dismissable"
+                        class="alert alert-info"
                    {% elif message.level == message_levels.SUCCESS %}
-                        class="alert alert-success alert-dismissable"
+                        class="alert alert-success"
                    {% elif message.level == message_levels.WARNING %}
-                        class="alert alert-warning alert-dismissable"
+                        class="alert alert-warning"
                    {% else %}
-                        class="alert alert-danger alert-dismissable"
+                        class="alert alert-danger"
                    {% endif %}
                {% endspaceless %}>
                    <button type="button" class="close" data-dismiss="alert" aria-hidden="true">&#215;</button>
                    {{ message }}
                </div>
            {% endfor %}
@ -59,5 +64,9 @@
        </div> <!-- /container -->
        <script src="{{settings.CAS_COMPONENT_URLS.jquery}}"></script>
        <script src="{{settings.CAS_COMPONENT_URLS.bootstrap3_js}}"></script>
        {% if settings.CAS_NEW_VERSION_HTML_WARNING and upgrade_available %}
        <script src="{% static "cas_server/alert-version.js" %}"></script>
        <script>alert_version("{{LAST_VERSION}}")</script>
        {% endif %}
    </body>
 </html>
--- a/cas_server/templates/cas_server/form.html
+++ b/cas_server/templates/cas_server/form.html
@ -1,10 +1,11 @@
 {% load cas_server %}
 {% for error in form.non_field_errors %}
 <div class="alert alert-danger alert-dismissable">
  <button type="button" class="close" data-dismiss="alert" aria-hidden="true">&#215;</button>
  {{error}}
 </div>
 {% endfor %}
-{% for field in form %}{% if field.display %}
+{% for field in form %}{% if not field|is_hidden %}
 <div class="form-group{% spaceless %}
  {% if not form.non_field_errors %}
    {% if field.errors %} has-error
@ -12,7 +13,7 @@
    {% endif %}
  {% endif %}"
 {% endspaceless %}>{% spaceless %}
-  {% if field.checkbox %}
+  {% if field|is_checkbox %}
    <div class="checkbox"><label for="{{field.auto_id}}">{{field}}{{field.label}}</label>
  {% else %}
    <label class="control-label" for="{{field.auto_id}}">{{field.label}}</label>
--- a/cas_server/templates/cas_server/logged.html
+++ b/cas_server/templates/cas_server/logged.html
@ -1,13 +1,20 @@
 {% extends "cas_server/base.html" %}
 {% load i18n %}
 {% block content %}
-<div class="alert alert-success" role="alert">{% trans "Logged" %}</div>
+<div class="alert alert-success" role="alert">{% blocktrans %}<h3>Log In Successful</h3>You have successfully logged into the Central Authentication Service.<br/>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!{% endblocktrans %}</div>
 <form class="form-signin" method="get" action="logout">
  <div class="checkbox">
    <label>
-      <input type="checkbox" name="all" value="1"> {% trans "Log me out from all my sessions" %}
+      <input type="checkbox" name="all" value="1">{% trans "Log me out from all my sessions" %}
    </label>
  </div>
  {% if settings.CAS_FEDERATE and request.COOKIES.remember_provider %}
  <div class="checkbox">
    <label>
      <input type="checkbox" name="forget_provider" value="1">{% trans "Forget the identity provider" %}
    </label>
  </div>
  {% endif %}
  <button class="btn btn-danger btn-block btn-lg" type="submit">{% trans "Logout" %}</button>
 </form>
 {% endblock %}
--- a/cas_server/templatetags/init.py
+++ b/cas_server/templatetags/init.py
--- a/cas_server/templatetags/cas_server.py
+++ b/cas_server/templatetags/cas_server.py
@ -0,0 +1,14 @@
 from django import template
 from django import forms
 register = template.Library()
@register.filter(name='is_checkbox')
 def is_checkbox(field):
    return isinstance(field.field.widget, forms.CheckboxInput)
@register.filter(name='is_hidden')
 def is_hidden(field):
    return isinstance(field.field.widget, forms.HiddenInput)
--- a/cas_server/tests/settings.py
+++ b/cas_server/tests/settings.py
@ -51,6 +51,22 @@ MIDDLEWARE_CLASSES = [
    'django.middleware.locale.LocaleMiddleware',
 ]
 TEMPLATES = [
    {
        'APP_DIRS': True,
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [],
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages'
            ]
        }
    }
 ]
 ROOT_URLCONF = 'cas_server.tests.urls'
 # Database
@ -81,3 +97,30 @@ USE_TZ = True
 # https://docs.djangoproject.com/en/1.9/howto/static-files/
 STATIC_URL = '/static/'
 CAS_NEW_VERSION_HTML_WARNING = False
 CAS_NEW_VERSION_EMAIL_WARNING = False
 LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'formatters': {
        'cas_file': {
            'format': '%(asctime)s %(levelname)s %(message)s'
        },
    },
    'handlers': {
        'cas_stream': {
            'level': 'INFO',
            'class': 'logging.StreamHandler',
            'formatter': 'cas_file',
        },
    },
    'loggers': {
        'cas_server': {
            'handlers': ['cas_stream'],
            'level': 'INFO',
            'propagate': True,
        },
    },
 }
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@ -84,29 +84,31 @@ class FederateAuthLoginLogoutTestCase(
            params['provider'] = provider.suffix
            if remember:
                params['remember'] = 'on'
            # just try for one suffix
            if suffix == "example.com":
                # if renew=False is posted it should be ignored
                params["renew"] = False
            # post the choosed provider
            response = client.post('/federate', params)
            # we are redirected to the provider CAS client url
            self.assertEqual(response.status_code, 302)
-            if remember:
+            self.assertEqual(response["Location"], '%s/federate/%s%s' % (
-                self.assertEqual(response["Location"], '%s/federate/%s?remember=on' % (
+                'http://testserver' if django.VERSION < (1, 9) else "",
-                    'http://testserver' if django.VERSION < (1, 9) else "",
+                provider.suffix,
-                    provider.suffix
+                "?remember=on" if remember else ""
-                ))
+            ))
            else:
                self.assertEqual(response["Location"], '%s/federate/%s' % (
                    'http://testserver' if django.VERSION < (1, 9) else "",
                    provider.suffix
                ))
            # let's follow the redirect
-            response = client.get('/federate/%s' % provider.suffix)
+            response = client.get(
                '/federate/%s%s' % (provider.suffix, "?remember=on" if remember else "")
            )
            # we are redirected to the provider CAS for authentication
            self.assertEqual(response.status_code, 302)
            self.assertEqual(
                response["Location"],
-                "%s/login?service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s" % (
+                "%s/login?service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s%s" % (
                    provider.server_url,
-                    provider.suffix
+                    provider.suffix,
                    "%3Fremember%3Don" if remember else ""
                )
            )
            # let's generate a ticket
@ -114,7 +116,10 @@ class FederateAuthLoginLogoutTestCase(
            # we lauch a dummy CAS server that only validate once for the service
            # http://testserver/federate/example.com with `ticket`
            tests_utils.DummyCAS.run(
-                ("http://testserver/federate/%s" % provider.suffix).encode("ascii"),
+                ("http://testserver/federate/%s%s" % (
                    provider.suffix,
                    "?remember=on" if remember else ""
                )).encode("ascii"),
                ticket.encode("ascii"),
                settings.CAS_TEST_USER.encode("utf8"),
                [],
@ -122,7 +127,13 @@ class FederateAuthLoginLogoutTestCase(
            )
            # we normally provide a good ticket and should be redirected to /login as the ticket
            # get successfully validated again the dummy CAS
-            response = client.get('/federate/%s' % provider.suffix, {'ticket': ticket})
+            response = client.get(
                '/federate/%s' % provider.suffix,
                {'ticket': ticket, 'remember': 'on' if remember else ''}
            )
            if remember:
                self.assertIn("remember_provider", client.cookies)
                self.assertEqual(client.cookies["remember_provider"].value, provider.suffix)
            self.assertEqual(response.status_code, 302)
            self.assertEqual(response["Location"], "%s/login" % (
                'http://testserver' if django.VERSION < (1, 9) else ""
@ -183,7 +194,8 @@ class FederateAuthLoginLogoutTestCase(
        """
            The federated view should redirect to /login if the provider is unknown or not provided,
            try to fetch a new ticket if the provided ticket validation fail
-            (network error or bad ticket)
+            (network error or bad ticket), redirect to /login with a error message if identity
            provider CAS return a bad response (invalid XML document)
        """
        good_provider = "example.com"
        bad_provider = "exemple.fr"
@ -229,6 +241,18 @@ class FederateAuthLoginLogoutTestCase(
            'http://testserver' if django.VERSION < (1, 9) else ""
        ))
        # test CAS avaible but return a bad XML doc, should redirect to /login with a error message
        # use "example.net" as it is CASv3
        tests_utils.HttpParamsHandler.run(8082)
        response = client.get("/federate/%s" % "example.net", {'ticket': utils.gen_st()})
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response["Location"], "%s/login" % (
            'http://testserver' if django.VERSION < (1, 9) else ""
        ))
        response = client.get("/login")
        self.assertEqual(response.status_code, 200)
        self.assertIn(b"Invalid response from your identity provider CAS", response.content)
    def test_auth_federate_slo(self):
        """test that SLO receive from backend CAS log out the users"""
        # get tickets and connected clients
@ -331,6 +355,76 @@ class FederateAuthLoginLogoutTestCase(
                provider.suffix
            ))
    def test_forget_provider(self):
        """Test the logout option to forget remembered provider"""
        tickets = self.test_login_post_provider(remember=True)
        for (provider, _, client) in tickets:
            self.assertIn("remember_provider", client.cookies)
            self.assertEqual(client.cookies["remember_provider"].value, provider.suffix)
            self.assertNotEqual(client.cookies["remember_provider"]["max-age"], 0)
            client.get("/logout?forget_provider=1")
            self.assertEqual(client.cookies["remember_provider"]["max-age"], 0)
    def test_renew(self):
        """
            Test authentication renewal with federation mode
        """
        tickets = self.test_login_post_provider()
        for (provider, _, client) in tickets:
            # Try to renew authentication(client already authenticated in test_login_post_provider
            response = client.get("/login?renew=true")
            # we should be redirected to the user CAS
            self.assertEqual(response.status_code, 302)
            self.assertEqual(response["Location"], "%s/federate/%s?renew=true" % (
                'http://testserver' if django.VERSION < (1, 9) else "",
                provider.suffix
            ))
            response = client.get("/federate/%s?renew=true" % provider.suffix)
            self.assertEqual(response.status_code, 302)
            service_url = (
                "service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s%%3Frenew%%3Dtrue"
            ) % provider.suffix
            self.assertIn(service_url, response["Location"])
            self.assertIn("renew=true", response["Location"])
            cas_port = int(provider.server_url.split(':')[-1])
            # let's generate a ticket
            ticket = utils.gen_st()
            # we lauch a dummy CAS server that only validate once for the service
            # http://testserver/federate/example.com?renew=true with `ticket`
            tests_utils.DummyCAS.run(
                ("http://testserver/federate/%s?renew=true" % provider.suffix).encode("ascii"),
                ticket.encode("ascii"),
                settings.CAS_TEST_USER.encode("utf8"),
                [],
                cas_port
            )
            # we normally provide a good ticket and should be redirected to /login as the ticket
            # get successfully validated again the dummy CAS
            response = client.get(
                '/federate/%s' % provider.suffix,
                {'ticket': ticket, 'renew': 'true'}
            )
            self.assertEqual(response.status_code, 302)
            self.assertEqual(response["Location"], "%s/login?renew=true" % (
                'http://testserver' if django.VERSION < (1, 9) else ""
            ))
            # follow the redirect and try to get a ticket to see is it has renew set to True
            response = client.get("/login?renew=true&service=%s" % self.service)
            # we should get a page with a from with all widget hidden that auto POST to /login using
            # javascript. If javascript is disabled, a "connect" button is showed
            self.assertTrue(response.context['auto_submit'])
            self.assertEqual(response.context['post_url'], '/login')
            params = tests_utils.copy_form(response.context["form"])
            # POST get prefiled from parameters
            response = client.post("/login", params)
            self.assertEqual(response.status_code, 302)
            self.assertTrue(response["Location"].startswith("%s?ticket=" % self.service))
            ticket_value = response["Location"].split('ticket=')[-1]
            ticket = models.ServiceTicket.objects.get(value=ticket_value)
            self.assertTrue(ticket.renew)
    def test_login_bad_ticket(self):
        """
            Try login with a bad ticket:
--- a/cas_server/tests/test_models.py
+++ b/cas_server/tests/test_models.py
@ -16,7 +16,9 @@ import django
 from django.test import TestCase, Client
 from django.test.utils import override_settings
 from django.utils import timezone
 from django.core import mail
 import mock
 from datetime import timedelta
 from importlib import import_module
@ -60,6 +62,25 @@ class FederatedUserTestCase(TestCase, UserModels, FederatedIendityProviderModel)
        with self.assertRaises(models.FederatedUser.DoesNotExist):
            models.FederatedUser.objects.get(username="test2")
    def test_json_attributes(self):
        """test the json storage of ``atrributs`` in ``_attributs``"""
        provider = models.FederatedIendityProvider.objects.get(suffix="example.com")
        user = models.FederatedUser.objects.create(
            username=settings.CAS_TEST_USER,
            provider=provider,
            attributs=settings.CAS_TEST_ATTRIBUTES,
            ticket=""
        )
        self.assertEqual(utils.json_encode(settings.CAS_TEST_ATTRIBUTES), user._attributs)
        user.delete()
        user = models.FederatedUser.objects.create(
            username=settings.CAS_TEST_USER,
            provider=provider,
            ticket=""
        )
        self.assertIsNone(user._attributs)
        self.assertIsNone(user.attributs)
 class FederateSLOTestCase(TestCase, UserModels):
    """test for the federated SLO model"""
@ -231,3 +252,65 @@ class TicketTestCase(TestCase, UserModels, BaseServicePattern):
        self.assertTrue(b'logoutRequest' in params and params[b'logoutRequest'])
        # only 1 ticket remain in the db
        self.assertEqual(len(models.ServiceTicket.objects.all()), 1)
    def test_json_attributes(self):
        """test the json storage of ``atrributs`` in ``_attributs``"""
        # ge an authenticated client
        client = get_auth_client()
        # get the user associated to the client
        user = self.get_user(client)
        ticket = models.ServiceTicket.objects.create(
            user=user,
            service=self.service,
            attributs=settings.CAS_TEST_ATTRIBUTES,
            service_pattern=self.service_pattern
        )
        self.assertEqual(utils.json_encode(settings.CAS_TEST_ATTRIBUTES), ticket._attributs)
        ticket.delete()
        ticket = models.ServiceTicket.objects.create(
            user=user,
            service=self.service,
            service_pattern=self.service_pattern
        )
        self.assertIsNone(ticket._attributs)
        self.assertIsNone(ticket.attributs)
@mock.patch("cas_server.utils.last_version", lambda: "1.2.3")
@override_settings(ADMINS=[("Ano Nymous", "ano.nymous@example.net")])
@override_settings(CAS_NEW_VERSION_EMAIL_WARNING=True)
 class NewVersionWarningTestCase(TestCase):
    """tests for the new version warning model"""
    @mock.patch("cas_server.models.VERSION", "0.1.2")
    def test_send_mails(self):
        """test the send_mails method with ADMINS and a new version available"""
        models.NewVersionWarning.send_mails()
        self.assertEqual(len(mail.outbox), 1)
        self.assertEqual(
            mail.outbox[0].subject,
            '%sA new version of django-cas-server is available' % settings.EMAIL_SUBJECT_PREFIX
        )
        models.NewVersionWarning.send_mails()
        self.assertEqual(len(mail.outbox), 1)
    @mock.patch("cas_server.models.VERSION", "1.2.3")
    def test_send_mails_same_version(self):
        """test the send_mails method with with current version being the last"""
        models.NewVersionWarning.objects.create(version="0.1.2")
        models.NewVersionWarning.send_mails()
        self.assertEqual(len(mail.outbox), 0)
    @override_settings(ADMINS=[])
    def test_send_mails_no_admins(self):
        """test the send_mails method without ADMINS"""
        models.NewVersionWarning.send_mails()
        self.assertEqual(len(mail.outbox), 0)
    @override_settings(CAS_NEW_VERSION_EMAIL_WARNING=False)
    def test_send_mails_disabled(self):
        """test the send_mails method if disabled"""
        models.NewVersionWarning.send_mails()
        self.assertEqual(len(mail.outbox), 0)
--- a/cas_server/tests/test_utils.py
+++ b/cas_server/tests/test_utils.py
@ -11,8 +11,11 @@
 # (c) 2016 Valentin Samir
 """Tests module for utils"""
 from django.test import TestCase, RequestFactory
 from django.db import connection
 import six
 import warnings
 import datetime
 from cas_server import utils
@ -128,16 +131,23 @@ class CheckPasswordCase(TestCase):
        with self.assertRaises(utils.LdapHashUserPassword.BadHash):
            utils.check_password("ldap", self.password1, b"TOTOssdsdsd", "utf8")
        for scheme in schemes_salt:
            # bad length
            with self.assertRaises(utils.LdapHashUserPassword.BadHash):
                utils.check_password("ldap", self.password1, scheme + b"dG90b3E8ZHNkcw==", "utf8")
            # bad base64
            with self.assertRaises(utils.LdapHashUserPassword.BadHash):
                utils.check_password("ldap", self.password1, scheme + b"dG90b3E8ZHNkcw", "utf8")
    def test_hex(self):
        """test all the hex_HASH method: the hashed password is a simple hash of the password"""
        hashes = ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]
        hashed_password1 = []
-        for hash in hashes:
+        for hash_scheme in hashes:
            hashed_password1.append(
-                ("hex_%s" % hash, getattr(utils.hashlib, hash)(self.password1).hexdigest())
+                (
                    "hex_%s" % hash_scheme,
                    getattr(utils.hashlib, hash_scheme)(self.password1).hexdigest()
                )
            )
        for (method, hp1) in hashed_password1:
            self.assertTrue(utils.check_password(method, self.password1, hp1, "utf8"))
@ -208,3 +218,40 @@ class UtilsTestCase(TestCase):
        self.assertEqual(utils.get_tuple(test_tuple, 3), None)
        self.assertEqual(utils.get_tuple(test_tuple, 3, 'toto'), 'toto')
        self.assertEqual(utils.get_tuple(None, 3), None)
    def test_last_version(self):
        """
            test the function last_version. An internet connection is needed, if you do not have
            one, this test will fail and you should ignore it.
        """
        try:
            # first check if pypi is available
            utils.requests.get("https://pypi.python.org/simple/django-cas-server/")
        except utils.requests.exceptions.RequestException:
            warnings.warn(
                (
                    "Pypi seems not available, perhaps you do not have internet access. "
                    "Consequently, the test cas_server.tests.test_utils.UtilsTestCase.test_last_"
                    "version is ignored"
                ),
                RuntimeWarning
            )
        else:
            version = utils.last_version()
            self.assertIsInstance(version, six.text_type)
            self.assertEqual(len(version.split('.')), 3)
            # version is cached 24h so calling it a second time should return the save value
            self.assertEqual(version, utils.last_version())
    def test_dictfetchall(self):
        """test the function dictfetchall"""
        with connection.cursor() as curs:
            curs.execute("SELECT * FROM django_migrations")
            results = utils.dictfetchall(curs)
            self.assertIsInstance(results, list)
            self.assertTrue(len(results) > 0)
            for result in results:
                self.assertIsInstance(result, dict)
                self.assertIn('applied', result)
                self.assertIsInstance(result['applied'], datetime.datetime)
--- a/cas_server/tests/test_view.py
+++ b/cas_server/tests/test_view.py
@ -20,6 +20,7 @@ from django.utils import timezone
 import random
 import json
 import mock
 from lxml import etree
 from six.moves import range
@ -47,6 +48,33 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
        # we prepare a bunch a service url and service patterns for tests
        self.setup_service_patterns()
    @override_settings(CAS_NEW_VERSION_HTML_WARNING=True)
    @mock.patch("cas_server.utils.last_version", lambda: "1.2.3")
    @mock.patch("cas_server.utils.VERSION", "0.1.2")
    def test_new_version_available_ok(self):
        """test the new version info box"""
        client = Client()
        response = client.get("/login")
        self.assertIn(b"A new version of the application is available", response.content)
    @override_settings(CAS_NEW_VERSION_HTML_WARNING=True)
    @mock.patch("cas_server.utils.last_version", lambda: None)
    @mock.patch("cas_server.utils.VERSION", "0.1.2")
    def test_new_version_available_badpypi(self):
        """
            test the new version info box if pypi is not available (unable to retreive last version)
        """
        client = Client()
        response = client.get("/login")
        self.assertNotIn(b"A new version of the application is available", response.content)
    @override_settings(CAS_NEW_VERSION_HTML_WARNING=False)
    def test_new_version_available_disabled(self):
        """test the new version info box is disabled"""
        client = Client()
        response = client.get("/login")
        self.assertNotIn(b"A new version of the application is available", response.content)
    def test_login_view_post_goodpass_goodlt(self):
        """Test a successul login"""
        # we get a client who fetch a frist time the login page and the login form default
@ -309,7 +337,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
            response = client.get("/login", {'service': service})
            # the ticket is not created and a warning is displayed to the user
            self.assertEqual(response.status_code, 200)
-            self.assertTrue(b"User charateristics non allowed" in response.content)
+            self.assertTrue(b"User characteristics non allowed" in response.content)
        # same but with rectriction that a valid upon the test user attributes
        response = client.get("/login", {'service': self.service_filter_success})
@ -327,7 +355,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
        response = client.get("/login", {'service': self.service_field_needed_fail})
        # the ticket is not created and a warning is displayed to the user
        self.assertEqual(response.status_code, 200)
-        self.assertTrue(b"The attribut uid is needed to use that service" in response.content)
+        self.assertTrue(b"The attribute uid is needed to use that service" in response.content)
        # same but with a attribute that the test user has
        response = client.get("/login", {'service': self.service_field_needed_success})
@ -351,7 +379,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
        response = client.get("/login", {"service": self.service_field_needed_success})
        # the ticket is not created and a warning is displayed to the user
        self.assertEqual(response.status_code, 200)
-        self.assertTrue(b"The attribut alias is needed to use that service" in response.content)
+        self.assertTrue(b"The attribute alias is needed to use that service" in response.content)
    def test_gateway(self):
        """test gateway parameter"""
--- a/cas_server/tests/utils.py
+++ b/cas_server/tests/utils.py
@ -12,8 +12,9 @@
 """Some utils functions for tests"""
 from cas_server.default_settings import settings
 import django
 from django.test import Client
-from django.template import loader, Context
+from django.template import loader
 from django.utils import timezone
 import cgi
@ -21,13 +22,25 @@ import six
 from threading import Thread
 from lxml import etree
 from six.moves import BaseHTTPServer
-from six.moves.urllib.parse import urlparse, parse_qsl
+from six.moves.urllib.parse import urlparse, parse_qsl, parse_qs
 from datetime import timedelta
 from cas_server import models
 from cas_server import utils
 if django.VERSION < (1, 8):
    from django.template import Context
 else:
    def Context(arg):
        """
            Starting from django 1.8 render take a dict and deprecated the use of a Context.
            So this is the identity function, only use for compatibility with django 1.7 where
            render MUST take a Context as argument.
        """
        return arg
 def return_unicode(string, charset):
    """make `string` a unicode if `string` is a unicode or bytes encoded with `charset`"""
    if not isinstance(string, six.text_type):
@ -166,7 +179,7 @@ class HttpParamsHandler(BaseHTTPServer.BaseHTTPRequestHandler):
            postvars = cgi.parse_multipart(self.rfile, pdict)
        elif ctype == 'application/x-www-form-urlencoded':
            length = int(self.headers.get('content-length'))
-            postvars = cgi.parse_qs(self.rfile.read(length), keep_blank_values=1)
+            postvars = parse_qs(self.rfile.read(length), keep_blank_values=1)
        else:
            postvars = {}
        self.server.PARAMS = postvars
--- a/cas_server/urls.py
+++ b/cas_server/urls.py
@ -16,8 +16,10 @@ from django.views.decorators.debug import sensitive_post_parameters, sensitive_v
 from cas_server import views
 app_name = "cas_server"
 urlpatterns = [
-    url(r'^$', RedirectView.as_view(pattern_name="cas_server:login")),
+    url(r'^$', RedirectView.as_view(pattern_name="cas_server:login", permanent=False)),
    url(
        '^login$',
        sensitive_post_parameters('password')(
@ -51,8 +53,8 @@ urlpatterns = [
    url('^samlValidate$', views.SamlValidate.as_view(), name='samlValidate'),
    url(
        '^auth$',
-        sensitive_variables('password')(
+        sensitive_variables('password', 'secret')(
-            sensitive_post_parameters('password')(
+            sensitive_post_parameters('password', 'secret')(
                views.Auth.as_view()
            )
        ),
--- a/cas_server/utils.py
+++ b/cas_server/utils.py
@ -25,11 +25,20 @@ import hashlib
 import crypt
 import base64
 import six
 import requests
 import time
 import logging
 import binascii
 from importlib import import_module
 from datetime import datetime, timedelta
 from six.moves.urllib.parse import urlparse, urlunparse, parse_qsl, urlencode
 from . import VERSION
 #: logger facility
 logger = logging.getLogger(__name__)
 def json_encode(obj):
    """Encode a python object to json"""
@ -51,6 +60,14 @@ def context(params):
    """
    params["settings"] = settings
    params["message_levels"] = DEFAULT_MESSAGE_LEVELS
    if settings.CAS_NEW_VERSION_HTML_WARNING:
        LAST_VERSION = last_version()
        params["VERSION"] = VERSION
        params["LAST_VERSION"] = LAST_VERSION
        if LAST_VERSION is not None:
            params["upgrade_available"] = decode_version(VERSION) < decode_version(LAST_VERSION)
        else:
            params["upgrade_available"] = False
    return params
@ -545,7 +562,10 @@ class LdapHashUserPassword(object):
        elif scheme == b'{CRYPT}':
            return b'$'.join(hashed_passord.split(b'$', 3)[:-1])[len(scheme):]
        else:
-            hashed_passord = base64.b64decode(hashed_passord[len(scheme):])
+            try:
                hashed_passord = base64.b64decode(hashed_passord[len(scheme):])
            except (TypeError, binascii.Error) as error:
                raise cls.BadHash("Bad base64: %s" % error)
            if len(hashed_passord) < cls._schemes_to_len[scheme]:
                raise cls.BadHash("Hash too short for the scheme %s" % scheme)
            return hashed_passord[cls._schemes_to_len[scheme]:]
@ -563,7 +583,7 @@ def check_password(method, password, hashed_password, charset):
        :param hashed_password: The hashed password as stored in the database
        :type hashed_password: :obj:`str` or :obj:`unicode`
        :param str charset: The used char encoding (also used internally, so it must be valid for
-            the charset used by ``password`` even if it is inputed as an :obj:`unicode`)
+            the charset used by ``password`` when it was initially )
        :return: True if ``password`` match ``hashed_password`` using ``method``,
            ``False`` otherwise
        :rtype: bool
@ -603,3 +623,60 @@ def check_password(method, password, hashed_password, charset):
        )(password).hexdigest().encode("ascii") == hashed_password.lower()
    else:
        raise ValueError("Unknown password method check %r" % method)
 def decode_version(version):
    """
        decode a version string following version semantic http://semver.org/ input a tuple of int
        :param unicode version: A dotted version
        :return: A tuple a int
        :rtype: tuple
    """
    return tuple(int(sub_version) for sub_version in version.split('.'))
 def last_version():
    """
        Fetch the last version from pypi and return it. On successful fetch from pypi, the response
        is cached 24h, on error, it is cached 10 min.
        :return: the last django-cas-server version
        :rtype: unicode
    """
    try:
        last_update, version, success = last_version._cache
    except AttributeError:
        last_update = 0
        version = None
        success = False
    cache_delta = 24 * 3600 if success else 600
    if (time.time() - last_update) < cache_delta:
        return version
    else:
        try:
            req = requests.get(settings.CAS_NEW_VERSION_JSON_URL)
            data = json.loads(req.text)
            versions = list(data["releases"].keys())
            versions.sort()
            version = versions[-1]
            last_version._cache = (time.time(), version, True)
            return version
        except (
            KeyError,
            ValueError,
            requests.exceptions.RequestException
        ) as error:  # pragma: no cover (should not happen unless pypi is not available)
            logger.error(
                "Unable to fetch %s: %s" % (settings.CAS_NEW_VERSION_JSON_URL, error)
            )
            last_version._cache = (time.time(), version, False)
 def dictfetchall(cursor):
    "Return all rows from a django cursor as a dict"
    columns = [col[0] for col in cursor.description]
    return [
        dict(zip(columns, row))
        for row in cursor.fetchall()
    ]
--- a/cas_server/views.py
+++ b/cas_server/views.py
@ -147,9 +147,12 @@ class LogoutView(View, LogoutMixin):
        # current querystring
        if settings.CAS_FEDERATE:
            if auth is not None:
-                params = utils.copy_params(request.GET)
+                params = utils.copy_params(request.GET, ignore={"forget_provider"})
                url = auth.get_logout_url()
-                return HttpResponseRedirect(utils.update_url(url, params))
+                response = HttpResponseRedirect(utils.update_url(url, params))
                if request.GET.get("forget_provider"):
                    response.delete_cookie("remember_provider")
                return response
        # if service is set, redirect to service after logout
        if self.service:
            list(messages.get_messages(request))  # clean messages before leaving the django app
@ -209,6 +212,7 @@ class LogoutView(View, LogoutMixin):
 class FederateAuth(View):
    """view to authenticated user agains a backend CAS then CAS_FEDERATE is True"""
    @method_decorator(csrf_exempt)  # csrf is disabled for allowing SLO requests reception
    def dispatch(self, request, *args, **kwargs):
        """
@ -218,8 +222,7 @@ class FederateAuth(View):
        """
        return super(FederateAuth, self).dispatch(request, *args, **kwargs)
-    @staticmethod
+    def get_cas_client(self, request, provider, renew=False):
    def get_cas_client(request, provider):
        """
            return a CAS client object matching provider
@ -231,7 +234,8 @@ class FederateAuth(View):
        """
        # compute the current url, ignoring ticket dans provider GET parameters
        service_url = utils.get_current_url(request, {"ticket", "provider"})
-        return CASFederateValidateUser(provider, service_url)
+        self.service_url = service_url
        return CASFederateValidateUser(provider, service_url, renew=renew)
    def post(self, request, provider=None):
        """
@ -264,24 +268,16 @@ class FederateAuth(View):
            if form.is_valid():
                params = utils.copy_params(
                    request.POST,
-                    ignore={"provider", "csrfmiddlewaretoken", "ticket"}
+                    ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt"}
                )
                if params.get("renew") == "False":
                    del params["renew"]
                url = utils.reverse_params(
                    "cas_server:federateAuth",
                    kwargs=dict(provider=form.cleaned_data["provider"].suffix),
                    params=params
                )
-                response = HttpResponseRedirect(url)
+                return HttpResponseRedirect(url)
                # If the user has checked "remember my identity provider" store it in a cookie
                if form.cleaned_data["remember"]:
                    max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
                    utils.set_cookie(
                        response,
                        "_remember_provider",
                        form.cleaned_data["provider"].suffix,
                        max_age
                    )
                return response
            else:
                return redirect("cas_server:login")
@ -296,47 +292,81 @@ class FederateAuth(View):
        if not settings.CAS_FEDERATE:
            logger.warning("CAS_FEDERATE is False, set it to True to use the federated mode")
            return redirect("cas_server:login")
        renew = bool(request.GET.get('renew') and request.GET['renew'] != "False")
        # Is the user is already authenticated, no need to request authentication to the user
        # identity provider.
-        if self.request.session.get("authenticated"):
+        if self.request.session.get("authenticated") and not renew:
            logger.warning("User already authenticated, dropping federate authentication request")
            return redirect("cas_server:login")
        try:
            # get the identity provider from its suffix
            provider = FederatedIendityProvider.objects.get(suffix=provider)
            # get a CAS client for the user identity provider
-            auth = self.get_cas_client(request, provider)
+            auth = self.get_cas_client(request, provider, renew)
            # if no ticket submited, redirect to the identity provider CAS login page
            if 'ticket' not in request.GET:
                logger.info("Trying to authenticate again %s" % auth.provider.server_url)
                return HttpResponseRedirect(auth.get_login_url())
            else:
                ticket = request.GET['ticket']
-                # if the ticket validation succeed
+                try:
-                if auth.verify_ticket(ticket):
+                    # if the ticket validation succeed
-                    logger.info(
+                    if auth.verify_ticket(ticket):
-                        "Got a valid ticket for %s from %s" % (
+                        logger.info(
-                            auth.username,
+                            "Got a valid ticket for %s from %s" % (
-                            auth.provider.server_url
+                                auth.username,
                                auth.provider.server_url
                            )
                        )
-                    )
+                        params = utils.copy_params(request.GET, ignore={"ticket", "remember"})
-                    params = utils.copy_params(request.GET, ignore={"ticket"})
+                        request.session["federate_username"] = auth.federated_username
-                    request.session["federate_username"] = auth.federated_username
+                        request.session["federate_ticket"] = ticket
-                    request.session["federate_ticket"] = ticket
+                        auth.register_slo(
-                    auth.register_slo(auth.federated_username, request.session.session_key, ticket)
+                            auth.federated_username,
-                    # redirect to the the login page for the user to become authenticated
+                            request.session.session_key,
-                    # thanks to the `federate_username` and `federate_ticket` session parameters
+                            ticket
                    url = utils.reverse_params("cas_server:login", params)
                    return HttpResponseRedirect(url)
                # else redirect to the identity provider CAS login page
                else:
                    logger.info(
                        "Got a invalid ticket for %s from %s. Retrying to authenticate" % (
                            auth.username,
                            auth.provider.server_url
                        )
                        # redirect to the the login page for the user to become authenticated
                        # thanks to the `federate_username` and `federate_ticket` session parameters
                        url = utils.reverse_params("cas_server:login", params)
                        response = HttpResponseRedirect(url)
                        # If the user has checked "remember my identity provider" store it in a
                        # cookie
                        if request.GET.get("remember"):
                            max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
                            utils.set_cookie(
                                response,
                                "remember_provider",
                                provider.suffix,
                                max_age
                            )
                        return response
                    # else redirect to the identity provider CAS login page
                    else:
                        logger.info(
                            (
                                "Got a invalid ticket %s from %s for service %s. "
                                "Retrying to authenticate"
                            ) % (
                                ticket,
                                auth.provider.server_url,
                                self.service_url
                            )
                        )
                        return HttpResponseRedirect(auth.get_login_url())
                # both xml.etree.ElementTree and lxml.etree exceptions inherit from SyntaxError
                except SyntaxError as error:
                    messages.add_message(
                        request,
                        messages.ERROR,
                        _(
                            u"Invalid response from your identity provider CAS upon "
                            u"ticket %(ticket)s validation: %(error)r"
                        ) % {'ticket': ticket, 'error': error}
                    )
-                    return HttpResponseRedirect(auth.get_login_url())
+                    response = redirect("cas_server:login")
                    response.delete_cookie("remember_provider")
                    return response
        except FederatedIendityProvider.DoesNotExist:
            logger.warning("Identity provider suffix %s not found" % provider)
            # if the identity provider is not found, redirect to the login page
@ -407,7 +437,8 @@ class LoginView(View, LogoutMixin):
        self.warn = request.POST.get('warn')
        if settings.CAS_FEDERATE:
            self.username = request.POST.get('username')
-            self.ticket = request.POST.get('ticket')
+            # in federated mode, the valdated indentity provider CAS ticket is used as password
            self.ticket = request.POST.get('password')
    def gen_lt(self):
        """Generate a new LoginTicket and add it to the list of valid LT for the user"""
@ -451,7 +482,7 @@ class LoginView(View, LogoutMixin):
            messages.add_message(
                self.request,
                messages.ERROR,
-                _(u"Invalid login ticket")
+                _(u"Invalid login ticket, please retry to login")
            )
        elif ret == self.USER_LOGIN_OK:
            # On successful login, update the :class:`models.User<cas_server.models.User>` ``date``
@ -477,7 +508,17 @@ class LoginView(View, LogoutMixin):
        else:  # pragma: no cover (should no happen)
            raise EnvironmentError("invalid output for LoginView.process_post")
        # call the GET/POST common part
-        return self.common()
+        response = self.common()
        if self.warn:
            utils.set_cookie(
                response,
                "warn",
                "on",
                10 * 365 * 24 * 3600
            )
        else:
            response.delete_cookie("warn")
        return response
    def process_post(self):
        """
@ -586,7 +627,9 @@ class LoginView(View, LogoutMixin):
        form_initial = {
            'service': self.service,
            'method': self.method,
-            'warn': self.warn or self.request.session.get("warn"),
+            'warn': (
                self.warn or self.request.session.get("warn") or self.request.COOKIES.get('warn')
            ),
            'lt': self.request.session['lt'][-1],
            'renew': self.renew
        }
@ -683,14 +726,14 @@ class LoginView(View, LogoutMixin):
            messages.add_message(
                self.request,
                messages.ERROR,
-                _(u"User charateristics non allowed")
+                _(u"User characteristics non allowed")
            )
        except models.UserFieldNotDefined:
            error = 4
            messages.add_message(
                self.request,
                messages.ERROR,
-                _(u"The attribut %(field)s is needed to use"
+                _(u"The attribute %(field)s is needed to use"
                  u" that service") % {'field': service_pattern.user_field}
            )
@ -817,19 +860,37 @@ class LoginView(View, LogoutMixin):
                    )
                else:
                    if (
-                        self.request.COOKIES.get('_remember_provider') and
+                        self.request.COOKIES.get('remember_provider') and
                        FederatedIendityProvider.objects.filter(
-                            suffix=self.request.COOKIES['_remember_provider']
+                            suffix=self.request.COOKIES['remember_provider']
                        )
                    ):
                        params = utils.copy_params(self.request.GET)
                        url = utils.reverse_params(
                            "cas_server:federateAuth",
                            params=params,
-                            kwargs=dict(provider=self.request.COOKIES['_remember_provider'])
+                            kwargs=dict(provider=self.request.COOKIES['remember_provider'])
                        )
                        return HttpResponseRedirect(url)
                    else:
                        # if user is authenticated and auth renewal is requested, redirect directly
                        # to the user identity provider
                        if self.renew and self.request.session.get("authenticated"):
                            try:
                                user = FederatedUser.get_from_federated_username(
                                    self.request.session.get("username")
                                )
                                params = utils.copy_params(self.request.GET)
                                url = utils.reverse_params(
                                    "cas_server:federateAuth",
                                    params=params,
                                    kwargs=dict(provider=user.provider.suffix)
                                )
                                return HttpResponseRedirect(url)
                            # Should normally not happen: if the user is logged, it exists in the
                            # database.
                            except FederatedUser.DoesNotExist:  # pragma: no cover
                                pass
                        return render(
                            self.request,
                            settings.CAS_LOGIN_TEMPLATE,
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@ -1,10 +1,12 @@
 setuptools>=5.5
 requests>=2.4
 requests_futures>=0.9.5
 lxml>=3.4
 six>=1.8
 tox>=1.8.1
 pytest>=2.6.4
 pytest-django>=2.8.0
 pytest-pythonpath>=0.3
 pytest-warnings
 pytest-cov>=2.2.1
-requests>=2.4
+mock>=1
 requests_futures>=0.9.5
 lxml>=3.4
 six>=1
--- a/requirements.txt
+++ b/requirements.txt
@ -1,6 +1,6 @@
-Django >= 1.8,<1.10
+Django >= 1.7.1,<1.10
 setuptools>=5.5
 requests>=2.4
 requests_futures>=0.9.5
 lxml>=3.4
-six>=1
+six>=1.8
--- a/setup.py
+++ b/setup.py
@ -1,8 +1,7 @@
 import os
 import pkg_resources
 from setuptools import setup
-
+from cas_server import VERSION
 VERSION = '0.6.1'
 with open(os.path.join(os.path.dirname(__file__), 'README.rst')) as readme:
    README = readme.read()
@ -30,7 +29,7 @@ if __name__ == '__main__':
        author_email='valentin.samir@crans.org',
        classifiers=[
            'Environment :: Web Environment',
-            'evelopment Status :: 5 - Production/Stable',
+            'Development Status :: 5 - Production/Stable',
            'Framework :: Django',
            'Framework :: Django :: 1.7',
            'Framework :: Django :: 1.8',
@ -66,5 +65,5 @@ if __name__ == '__main__':
        download_url="https://github.com/nitmir/django-cas-server/releases",
        zip_safe=False,
        setup_requires=['pytest-runner'],
-        tests_require=['pytest', 'pytest-django', 'pytest-pythonpath'],
+        tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'],
    )
--- a/tox.ini
+++ b/tox.ini
@ -31,7 +31,7 @@ whitelist_externals=
 [testenv]
 commands=
-    py.test {posargs:cas_server/tests/}
+    py.test -rw {posargs:cas_server/tests/}
    {[post_cmd]commands}
 whitelist_externals={[post_cmd]whitelist_externals}