--- loncom/auth/lonauth.pm	2014/05/04 15:16:10	1.121.2.11
+++ loncom/auth/lonauth.pm	2017/06/06 22:34:37	1.121.2.16
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.121.2.11 2014/05/04 15:16:10 raeburn Exp $
+# $Id: lonauth.pm,v 1.121.2.16 2017/06/06 22:34:37 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -73,7 +73,7 @@ sub success {
     }
 
 # ------------------------------------------------------------ Get cookie ready
-    $cookie="lonID=$cookie; path=/";
+    $cookie="lonID=$cookie; path=/; HttpOnly";
 # -------------------------------------------------------- Menu script and info
     my $destination = $lowerurl;
 
@@ -103,9 +103,7 @@ sub success {
         if ($destsymb =~ /___/) {
             # FIXME Need to deal with encrypted symbs and urls as needed.
             my ($map,$resid,$desturl)=split(/___/,$destsymb);
-            unless ($desturl=~/^(adm|editupload|public)/) {
-                $desturl = &Apache::lonnet::clutter($desturl);
-            }
+            $desturl = &Apache::lonnet::clutter($desturl);
             $desturl = &HTML::Entities::encode($desturl,'"<>&');
             $destsymb = &HTML::Entities::encode($destsymb,'"<>&');
             $destination .= 'destinationurl='.$desturl.
@@ -240,7 +238,6 @@ sub reroute {
 sub handler {
     my $r = shift;
     my $londocroot = $r->dir_config('lonDocRoot');
-    my $form;
 # Are we re-routing?
     if (-e "$londocroot/lon-status/reroute.txt") {
 	&reroute($r);
@@ -319,12 +316,6 @@ sub handler {
     my $tmpinfo=Apache::lonnet::reply('tmpget:'.$form{'logtoken'},
                                       $form{'serverid'});
 
-    my %sessiondata;
-    if ($form{'iptoken'}) {
-        %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
-        my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
-    }
-
     if (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost') || 
         ($tmpinfo eq 'no_such_host')) {
 	&failed($r,'Information needed to verify your login information is missing, inaccessible or expired.',\%form);
@@ -344,40 +335,27 @@ sub handler {
         return OK;
     }
 
-    my ($key,$firsturl,$rolestr,$symbstr)=split(/&/,$tmpinfo);
+    my ($key,$firsturl,$rolestr,$symbstr,$iptokenstr)=split(/&/,$tmpinfo);
     if ($rolestr) {
         $rolestr = &unescape($rolestr);
     }
     if ($symbstr) {
         $symbstr= &unescape($symbstr);
     }
+    if ($iptokenstr) {
+        $iptokenstr = &unescape($iptokenstr);
+    }
     if ($rolestr =~ /^role=/) {
         (undef,$form{'role'}) = split('=',$rolestr);
     }
     if ($symbstr =~ /^symb=/) { 
         (undef,$form{'symb'}) = split('=',$symbstr);
     }
-
-    my $keybin=pack("H16",$key);
-
-    my $cipher;
-    if ($Crypt::DES::VERSION>=2.03) {
-	$cipher=new Crypt::DES $keybin;
+    if ($iptokenstr =~ /^iptoken=/) {
+        (undef,$form{'iptoken'}) = split('=',$iptokenstr);
     }
-    else {
-	$cipher=new DES $keybin;
-    }
-    my $upass='';
-    for (my $i=0;$i<=2;$i++) {
-	my $chunk=
-	    $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},0,16))));
 
-	$chunk.=
-	    $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},16,16))));
-
-	$chunk=substr($chunk,1,ord(substr($chunk,0,1)));
-	$upass.=$chunk;
-    }
+    my $upass = &Apache::loncommon::des_decrypt($key,$form{'upass0'});
 
 # ---------------------------------------------------------------- Authenticate
 
@@ -441,6 +419,8 @@ sub handler {
 
     my $hosthere;
     if ($form{'iptoken'}) {
+        my %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
+        my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
         if (($sessiondata{'domain'} eq $form{'udom'}) &&
             ($sessiondata{'username'} eq $form{'uname'})) {
             $hosthere = 1;
@@ -474,13 +454,25 @@ sub handler {
 
     unless ($hosthere) {
         ($is_balancer,$otherserver) =
-            &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'});
+            &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'},'login');
+        if ($is_balancer) {
+            if ($otherserver eq '') {
+                my $lowest_load;
+                ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($form{'udom'});
+                if ($lowest_load > 100) {
+                    $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$form{'udom'});
+                }
+            }
+            if ($otherserver ne '') {
+                my @hosts = &Apache::lonnet::current_machine_ids();
+                if (grep(/^\Q$otherserver\E$/,@hosts)) {
+                    $hosthere = $otherserver;
+                }
+            }
+        }
     }
 
-    if ($is_balancer) {
-        if (!$otherserver) { 
-            ($otherserver) = &Apache::lonnet::choose_server($form{'udom'});
-        }
+    if (($is_balancer) && (!$hosthere)) {
         if ($otherserver) {
             &success($r,$form{'uname'},$form{'udom'},$authhost,'noredirect',undef,
                      \%form);
@@ -548,6 +540,9 @@ sub handler {
                 return OK;
             }
         }
+        if (($is_balancer) && ($hosthere)) {
+            $form{'noloadbalance'} = $hosthere;
+        }
         &success($r,$form{'uname'},$form{'udom'},$authhost,$firsturl,undef,
                  \%form);
         return OK;