--- loncom/auth/lonauth.pm	2020/03/15 23:04:10	1.159
+++ loncom/auth/lonauth.pm	2022/06/30 21:04:13	1.176
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.159 2020/03/15 23:04:10 raeburn Exp $
+# $Id: lonauth.pm,v 1.176 2022/06/30 21:04:13 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -42,11 +42,12 @@ use Apache::lonlocal;
 use Apache::File();
 use HTML::Entities;
 use Digest::MD5;
+use CGI::Cookie();
  
 # ------------------------------------------------------------ Successful login
 sub success {
     my ($r, $username, $domain, $authhost, $lowerurl, $extra_env,
-	$form,$skipcritical,$cid) = @_;
+	$form,$skipcritical,$cid,$expirepub) = @_;
 
 # ------------------------------------------------------------ Get cookie ready
     my $cookie =
@@ -60,8 +61,9 @@ sub success {
 
 # -------------------------------------------------------------------- Log this
 
+    my $ip = &Apache::lonnet::get_requestor_ip();
     &Apache::lonnet::log($domain,$username,$authhost,
-                         "Login $ENV{'REMOTE_ADDR'}");
+                         "Login $ip");
 
 # ------------------------------------------------- Check for critical messages
 
@@ -177,14 +179,37 @@ sub success {
         $destination .= 'source=login';
     }
 
+    my $brcrum = [{'href' => '',
+                   'text' => 'Successful Login'},];
+    my $args = {'no_inline_link' => 1,
+                'bread_crumbs' => $brcrum,};
+    if (($env{'request.deeplink.login'} eq $lowerurl) &&
+        (($env{'request.linkprot'}) || ($env{'request.linkkey'} ne ''))) {
+        my %info;
+        if ($env{'request.linkprot'}) {
+            $info{'linkprot'} = $env{'request.linkprot'};
+            foreach my $item ('linkprotuser','linkprotexit') {
+                if ($form->{$item}) {
+                    $info{$item} = $form->{$item};
+                }
+            }
+            $args = {'only_body' => 1,};
+        } elsif ($env{'request.linkkey'} ne '') {
+            $info{'linkkey'} = $env{'request.linkkey'};
+        }
+        $info{'origurl'} = $lowerurl;
+        my $token = &Apache::lonnet::tmpput(\%info,$r->dir_config('lonHostID'),'link');
+        unless (($token eq 'con_lost') || ($token eq 'refused') ||
+                ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+            $destination .= (($destination =~ /\?/) ? '&' : '?') . 'ttoken='.$token;
+        }
+    }
+
     my $windowname = 'loncapaclient';
     if ($env{'request.lti.login'}) {
         $windowname .= 'lti';
     }
     my $windowinfo = Apache::lonhtmlcommon::scripttag('self.name="'.$windowname.'";');
-    my $brcrum = [{'href' => '',
-                   'text' => 'Successful Login'},];
-    my $args = {'bread_crumbs' => $brcrum,};
     unless ((defined($form->{role})) || (defined($form->{symb}))) {
         my $update=$env{'user.update.time'};
         if (!$update) {
@@ -216,6 +241,12 @@ sub success {
     if ($defaultcookie) {
         $r->headers_out->add('Set-cookie' => $defaultcookie);
     }
+    if ($expirepub) {
+        my $c = new CGI::Cookie(-name    => 'lonPubID',
+                                -value   => '',
+                                -expires => '-10y',);
+        $r->headers_out->add('Set-cookie' => $c);
+    }
     $r->send_http_header;
 
     my ($start_page,$js,$pagebody,$end_page);
@@ -224,6 +255,7 @@ sub success {
         if ($env{'request.lti.target'} eq '') {
             my $ltitarget = (($destination =~ /\?/) ? '&' : '?').
                             'ltitarget=iframe';
+            &js_escape(\$destination);
             $js = <<"ENDJS";
 
 <script type="text/javascript">
@@ -251,18 +283,19 @@ ENDJS
         $args->{'redirect'} = [0,$destination];
         $start_page=&Apache::loncommon::start_page('Successful Login',
                                                    $js,$args);
-
-        my %lt=&Apache::lonlocal::texthash(
-				           'wel' => 'Welcome',
-				           'pro' => 'Login problems?',
+        unless ($env{'request.linkprot'}) {
+            my %lt=&Apache::lonlocal::texthash(
+		    		               'wel' => 'Welcome',
+				               'pro' => 'Login problems?',
 				          );
-        $pagebody = "<h1>$lt{'wel'}</h1>\n".
-                    &mt('Welcome to the Learning[_1]Online[_2] Network with CAPA. Please wait while your session is being set up.','<i>','</i>');
-        my $loginhelp = &loginhelpdisplay($domain);
-        if ($loginhelp) {
-            $pagebody .= '<p><a href="'.$loginhelp.'">'.$lt{'pro'}.'</a></p>';
+            $pagebody = "<h1>$lt{'wel'}</h1>\n".
+                        &mt('Welcome to the Learning[_1]Online[_2] Network with CAPA. Please wait while your session is being set up.','<i>','</i>');
+            my $loginhelp = &loginhelpdisplay($domain);
+            if ($loginhelp) {
+                $pagebody .= '<p><a href="'.$loginhelp.'">'.$lt{'pro'}.'</a></p>';
+            }
         }
-    }
+    } 
     $end_page = &Apache::loncommon::end_page();
     $r->print(<<ENDSUCCESS);
 $start_page
@@ -276,74 +309,109 @@ ENDSUCCESS
 # --------------------------------------------------------------- Failed login!
 
 sub failed {
-    my ($r,$message,$form) = @_;
+    my ($r,$message,$form,$authhost) = @_;
     (undef,undef,undef,my $clientmathml,my $clientunicode) =
         &Apache::loncommon::decode_user_agent();
     my $args = {};
     if ($clientunicode && !$clientmathml) {
         $args = {'browser.unicode' => 1};
     }
+    if ($form->{firsturl} =~ m{^/tiny/$match_domain/\w+$}) {
+        if ($form->{linkprot}) {
+            $args->{only_body} = 1;
+        }
+    }
 
+    my @actions;
     my $start_page = &Apache::loncommon::start_page('Unsuccessful Login',undef,$args);
     my $uname = &Apache::loncommon::cleanup_html($form->{'uname'});
     my $udom = &Apache::loncommon::cleanup_html($form->{'udom'});
     if (&Apache::lonnet::domain($udom,'description') eq '') {
         undef($udom);
     }
+    my $authtype;
+    if (($udom ne '') && ($uname ne '') && ($authhost eq 'no_host')) {
+        $authtype = &Apache::lonnet::queryauthenticate($uname,$udom);
+    }
     my $retry = '/adm/login';
-    if ($uname eq $form->{'uname'}) {
+    if (($uname eq $form->{'uname'}) && ($authtype !~ /^lti:/)) {
         $retry .= '?username='.$uname;
     }
     if ($udom) {
         $retry .= (($retry=~/\?/)?'&amp;':'?').'domain='.$udom;
     }
-    if (exists($form->{role})) {
-        my $role = &Apache::loncommon::cleanup_html($form->{role});
-        if ($role ne '') {
-            $retry .= (($retry=~/\?/)?'&amp;':'?').'role='.$role;
-        }
-    }
-    if (exists($form->{symb})) {
-        my $symb = &Apache::loncommon::cleanup_html($form->{symb});
-        if ($symb ne '') {
-            $retry .= (($retry=~/\?/)?'&amp;':'?').'symb='.$symb;
-        }
-    }
-    if (exists($form->{firsturl})) {
-        my $firsturl = &Apache::loncommon::cleanup_html($form->{firsturl});
-        if ($firsturl ne '') {
-            $retry .= (($retry=~/\?/)?'&amp;':'?').'firsturl='.$firsturl;
-            if ($firsturl =~ m{^/tiny/$match_domain/\w+$}) {
-                unless (exists($form->{linkprot})) {
-                    if (exists($form->{linkkey})) {
-                        $retry .= 'linkkey='.$form->{linkkey};
+    my $lonhost = $r->dir_config('lonHostID');
+    my $querystr;
+    my $result = &set_retry_token($form,$lonhost,\$querystr);
+    if ($result eq 'fail') {
+        if (exists($form->{role})) {
+            my $role = &Apache::loncommon::cleanup_html($form->{role});
+            if ($role ne '') {
+                $retry .= (($retry=~/\?/)?'&amp;':'?').'role='.$role;
+            }
+        }
+        if (exists($form->{symb})) {
+            my $symb = &Apache::loncommon::cleanup_html($form->{symb});
+            if ($symb ne '') {
+                $retry .= (($retry=~/\?/)?'&amp;':'?').'symb='.$symb;
+            }
+        }
+        if (exists($form->{firsturl})) {
+            my $firsturl = &Apache::loncommon::cleanup_html($form->{firsturl});
+            if ($firsturl ne '') {
+                $retry .= (($retry=~/\?/)?'&amp;':'?').'firsturl='.$firsturl;
+                if ($form->{firsturl} =~ m{^/tiny/$match_domain/\w+$}) {
+                    unless (exists($form->{linkprot})) {
+                        if (exists($form->{linkkey})) {
+                            $retry .= 'linkkey='.$form->{linkkey};
+                        }
                     }
                 }
             }
         }
-    }
-    if (exists($form->{linkprot})) {
-        my $ltoken = &Apache::lonnet::tmpput({linkprot => $form->{'linkprot'}},
-                                             $r->dir_config('lonHostID'));
-        if ($ltoken) {
-            $retry .= (($retry =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
+        if (exists($form->{linkprot})) {
+            my %info = (
+                         'linkprot' => $form->{'linkprot'},
+                       );
+            foreach my $item ('linkprotuser','linkprotexit') {
+                if ($form->{$item} ne '') {
+                    $info{$item} = $form->{$item};
+                }
+            }
+            my $ltoken = &Apache::lonnet::tmpput(\%info,
+                                                 $r->dir_config('lonHostID'),'retry');
+            if ($ltoken) {
+                $retry .= (($retry =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
+            }
         }
+    } elsif ($querystr ne '') {
+        $retry .= (($retry=~/\?/)?'&amp;':'?').$querystr;
     }
     my $end_page = &Apache::loncommon::end_page();
     &Apache::loncommon::content_type($r,'text/html');
     $r->send_http_header;
-    my @actions =
-         (&mt('Please [_1]log in again[_2].','<a href="'.$retry.'">','</a>'));
+    if ($authtype =~ /^lti:/) {
+        $message = &mt('Direct login is not supported with the username you entered.').
+                   '<br /><br />'.
+                   &mt('You likely need to launch LON-CAPA from within a course in a different Learning Management System.').
+                   '<br />'.
+                   &mt('You can also try to log in with a different username.');
+        @actions = 
+            (&mt('Try your [_1]log in again[_2].','<a href="'.$retry.'">','</a>'));
+    } else {
+        $message = &mt($message);
+        @actions =
+            (&mt('Please [_1]log in again[_2].','<a href="'.$retry.'">','</a>'));
+    }
     my $loginhelp = &loginhelpdisplay($udom);
     if ($loginhelp) {
         push(@actions, '<a href="'.$loginhelp.'">'.&mt('Login problems?').'</a>');
     }
     #FIXME: link to helpdesk might be added here
-
     $r->print(
        $start_page
       .'<h2>'.&mt('Sorry ...').'</h2>'
-      .&Apache::lonhtmlcommon::confirm_success(&mt($message),1).'<br /><br />'
+      .&Apache::lonhtmlcommon::confirm_success($message,1).'<br /><br />'
       .&Apache::lonhtmlcommon::actionbox(\@actions)
       .$end_page
     );
@@ -385,24 +453,89 @@ sub handler {
             &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
 	    &Apache::loncommon::content_type($r,'text/html');
 	    $r->send_http_header;
-	    my $start_page = 
+	    my $start_page =
 	        &Apache::loncommon::start_page('Already logged in');
 	    my $end_page = 
 	        &Apache::loncommon::end_page();
             my $dest = '/adm/roles';
-            if ($env{'form.firsturl'} ne '') {
-                $dest = $env{'form.firsturl'};
-                if ($env{'form.firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
-                    &Apache::lonnet::appenv({'request.deeplink.login' => $env{'form.firsturl'}}); 
+            my %form = &get_form_items($r);
+            if ($form{'logtoken'}) {
+                my $tmpinfo = &Apache::lonnet::reply('tmpget:'.$form{'logtoken'},
+                                                     $form{'serverid'});
+                unless (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost') ||
+                        ($tmpinfo eq 'no_such_host')) {
+                    my ($des_key,$firsturl,@rest)=split(/&/,$tmpinfo);
+                    $firsturl = &unescape($firsturl);
+                    my %info;
+                    foreach my $item (@rest) {
+                        my ($key,$value) = split(/=/,$item);
+                        $info{$key} = &unescape($value);
+                    }
+                    if ($firsturl ne '') {
+                        $info{'firsturl'} = $firsturl;
+                        $dest = $firsturl;
+                        my $relogin;
+                        if ($dest =~ m{^/tiny/$match_domain/\w+$}) {
+                            if ($env{'request.course.id'}) {
+                                my $cnum = $env{'course.'.$env{'request.course.id'}.'.num'};
+                                my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};
+                                my $symb = &Apache::loncommon::symb_from_tinyurl($dest,$cnum,$cdom);
+                                if ($symb) {
+                                    unless (&set_deeplink_login(%info) eq 'ok') {
+                                        $relogin = 1;
+                                    }
+                                }
+                            }
+                            if ($relogin) {
+                                $r->print(
+                                      $start_page
+                                     .'<p class="LC_warning">'.&mt('You are already logged in!').'</p>'
+                                     .'<p>'.&mt('Please [_1]log out[_2] first, and then try your access again',
+                                                '<a href="/adm/logout">','</a>')
+                                     .'</p>'
+                                     .$end_page);
+                            } else {
+                                if (($info{'linkprot'}) || ($info{'linkkey'} ne '')) {
+                                    if (($info{'linkprot'}) && ($info{'linkprotuser'} ne '')) {
+                                        unless ($info{'linkprotuser'} eq $env{'user.name'}.':'.$env{'user.domain'}) {
+                                            $r->print(
+                                                      $start_page
+                                                      .'<p class="LC_warning">'.&mt('You are already logged in, but as a different user from the one expected for the link you followed from another system').'</p>'
+                                                      .'<p>'.&mt('Please [_1]log out[_2] first, and then try following the link again from the other system',
+                                                                 '<a href="/adm/logout">','</a>')
+
+                                                      .'</p>'
+                                                      .$end_page);
+                                            return OK;
+                                        }
+                                    }
+                                    my $token = &Apache::lonnet::tmpput(\%info,$r->dir_config('lonHostID'),'link');
+                                    unless (($token eq 'con_lost') || ($token eq 'refused') ||
+                                            ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+                                        $dest .= (($dest =~ /\?/) ? '&' : '?') . 'ttoken='.$token;
+                                    }
+                                }
+                                $r->print(
+                                      $start_page
+                                     .'<p class="LC_warning">'.&mt('You are already logged in!').'</p>'
+                                     .'<p>'.&mt('Please either [_1]continue the current session[_2] or [_3]log out[_4] first, and then try your access again',
+                                                '<a href="'.$dest.'">','</a>',
+                                                '<a href="/adm/logout">','</a>')
+                                     .'</p>'
+                                     .$end_page);
+                            }
+                            return OK;
+                        }
+                    }
                 }
             }
             $r->print(
-               $start_page
-              .'<p class="LC_warning">'.&mt('You are already logged in!').'</p>'
-              .'<p>'.&mt('Please either [_1]continue the current session[_2] or [_3]log out[_4].'
-                    ,'<a href="'.$dest.'">','</a>','<a href="/adm/logout">','</a>')
-              .'</p>'
-              .$end_page
+                  $start_page
+                 .'<p class="LC_warning">'.&mt('You are already logged in!').'</p>'
+                 .'<p>'.&mt('Please either [_1]continue the current session[_2] or [_3]log out[_4].'
+                          ,'<a href="'.$dest.'">','</a>','<a href="/adm/logout">','</a>')
+                 .'</p>'
+                 .$end_page
             );
             return OK;
         }
@@ -410,19 +543,7 @@ sub handler {
 
 # ---------------------------------------------------- No valid token, continue
 
-
-    my $buffer;
-    if ($r->header_in('Content-length') > 0) {
-	$r->read($buffer,$r->header_in('Content-length'),0);
-    }
-    my %form;
-    foreach my $pair (split(/&/,$buffer)) {
-       my ($name,$value) = split(/=/,$pair);
-       $value =~ tr/+/ /;
-       $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
-       $form{$name}=$value;
-    }
-
+    my %form = &get_form_items($r);
     if ((!$form{'uname'}) || (!$form{'upass0'}) || (!$form{'udom'})) {
 	&failed($r,'Username, password and domain need to be specified.',
 		\%form);
@@ -466,39 +587,17 @@ sub handler {
         return OK;
     }
 
-    my ($key,$firsturl,$rolestr,$symbstr,$iptokenstr,$linkstr)=split(/&/,$tmpinfo);
-    if ($rolestr) {
-        $rolestr = &unescape($rolestr);
-    }
-    if ($symbstr) {
-        $symbstr= &unescape($symbstr);
-    }
-    if ($iptokenstr) {
-        $iptokenstr = &unescape($iptokenstr);
-    }
-    if ($linkstr) {
-        $linkstr = &unescape($linkstr);
+    my ($des_key,$firsturl,@rest)=split(/&/,$tmpinfo);
+    $firsturl = &unescape($firsturl);
+    foreach my $item (@rest) {
+        my ($key,$value) = split(/=/,$item);
+        $form{$key} = &unescape($value);
     }
     if ($firsturl =~ m{^/tiny/$match_domain/\w+$}) {
         $form{'firsturl'} = $firsturl;
     }
-    if ($rolestr =~ /^role=/) {
-        (undef,$form{'role'}) = split('=',$rolestr);
-    }
-    if ($symbstr =~ /^symb=/) { 
-        (undef,$form{'symb'}) = split('=',$symbstr);
-    }
-    if ($iptokenstr =~ /^iptoken=/) {
-        (undef,$form{'iptoken'}) = split('=',$iptokenstr);
-    }
-    if ($linkstr =~ /^linkprot=/) {
-        (undef,$form{'linkprot'}) = split('=',$linkstr);
-    } elsif ($linkstr =~ /^linkkey=/) {
-        (undef,$form{'linkkey'}) = split('=',$linkstr);
-    }
-
     my $upass = $ENV{HTTPS} ? $form{'upass0'} 
-        : &Apache::loncommon::des_decrypt($key,$form{'upass0'});
+        : &Apache::loncommon::des_decrypt($des_key,$form{'upass0'});
 
 # ---------------------------------------------------------------- Authenticate
 
@@ -519,9 +618,33 @@ sub handler {
 # --------------------------------------------------------------------- Failed?
 
     if ($authhost eq 'no_host') {
-	&failed($r,'Username and/or password could not be authenticated.',
-		\%form);
-        return OK;
+        my $pwdverify;
+        if (&Apache::lonnet::homeserver($form{'uname'},$form{'udom'}) eq 'no_host') {
+            my %possunames = &alternate_unames_check($form{'uname'},$form{'udom'});
+            if (keys(%possunames) > 0) {
+                foreach my $rulematch (keys(%possunames)) {
+                    my $possuname = $possunames{$rulematch};
+                    if (($possuname ne '') && ($possuname =~ /^$match_username$/)) {
+                        $authhost=Apache::lonnet::authenticate($possuname,$upass,
+                                                               $form{'udom'},undef,
+                                                               $clientcancheckhost);
+                        if (($authhost eq 'no_host') || ($authhost eq 'no_account_on_host')) {
+                            next;
+                        } elsif (($authhost ne '') && (&Apache::lonnet::hostname($authhost) ne '')) {
+                            $pwdverify = 1;
+                            &Apache::lonnet::logthis("Authenticated user: $possuname was submitted as: $form{'uname'}"); 
+                            $form{'uname'} = $possuname;
+                            last;
+                        }
+                    }
+                }
+            }
+        }
+        unless ($pwdverify) {
+            &failed($r,'Username and/or password could not be authenticated.',
+                    \%form,$authhost);
+            return OK;
+        }
     } elsif ($authhost eq 'no_account_on_host') {
         if ($defaultauth) {
             my $domdesc = &Apache::lonnet::domain($form{'udom'},'description');
@@ -529,7 +652,8 @@ sub handler {
                 return OK;
             }
             my $start_page = 
-                &Apache::loncommon::start_page('Create a user account in LON-CAPA');
+                &Apache::loncommon::start_page('Create a user account in LON-CAPA',
+                                               '',{'no_inline_link'   => 1,});
             my $lonhost = $r->dir_config('lonHostID');
             my $origmail = $Apache::lonnet::perlvar{'lonSupportEMail'};
             my $contacts = 
@@ -559,9 +683,9 @@ sub handler {
 	$firsturl='/adm/roles';
     }
 
-    my $hosthere;
+    my ($hosthere,%sessiondata);
     if ($form{'iptoken'}) {
-        my %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
+        %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
         my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
         if (($sessiondata{'domain'} eq $form{'udom'}) &&
             ($sessiondata{'username'} eq $form{'uname'})) {
@@ -605,7 +729,7 @@ sub handler {
                         unless ($suprim eq $uprim) {
                             unless ($suintdom eq $uintdom) {
                                 &Apache::lonnet::logthis('Attempted switch user '
-                                   .'to user with different "internet domain".');                        
+                                   .'to user with different "internet domain".');
                                 $noprivswitch = 1;
                             }
                         }
@@ -640,17 +764,34 @@ sub handler {
 	}
     }
 
+    if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+        if (($form{'linkprot'}) && ($form{'linkprotuser'} ne '')) {
+            unless($form{'linkprotuser'} eq $form{'uname'}.':'.$form{'udom'}) {
+                delete($form{'udom'});
+                delete($form{'uname'});
+                &failed($r,'Username and/or domain are different to that expected for the link you followed from another system',
+                        \%form,$authhost);
+                return OK;
+            }
+        }
+    }
+
     my ($is_balancer,$otherserver);
 
     unless ($hosthere) {
         ($is_balancer,$otherserver) =
             &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'},'login');
         if ($is_balancer) {
+            # Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
+            my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r);
+            if (($found_server) && ($balancer_cookie =~ /^\Q$env{'user.domain'}\E_\Q$env{'user.name'}\E_/)) {
+                $otherserver = $found_server;
+            }
             if ($otherserver eq '') {
                 my $lowest_load;
                 ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($form{'udom'});
                 if ($lowest_load > 100) {
-                    $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$form{'udom'});
+                    $otherserver = &Apache::lonnet::spareserver($r,$lowest_load,$lowest_load,1,$form{'udom'});
                 }
             }
             if ($otherserver ne '') {
@@ -668,7 +809,7 @@ sub handler {
                      \%form);
             my $switchto = '/adm/switchserver?otherserver='.$otherserver;
             if (($firsturl) && ($firsturl ne '/adm/switchserver') && ($firsturl ne '/adm/roles')) {
-                $switchto .= '&origurl='.$firsturl; #should escape
+                $switchto .= '&origurl='.$firsturl;
             }
             if ($form{'role'}) {
                 $switchto .= '&role='.$form{'role'};
@@ -678,14 +819,21 @@ sub handler {
             }
             if ($form{'linkprot'}) {
                 $env{'request.linkprot'} = $form{'linkprot'};
-            } elsif ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
-                if ($form{'linkkey'}) {
-                    $env{'request.linkkey'} = $form{'linkkey'};
+                foreach my $item ('linkprotuser','linkprotexit') {
+                    if ($form{$item}) {
+                        $env{'request.'.$item} = $form{$item};
+                    }
                 }
-                $env{'request.deeplink.login'} = $form{'firsturl'};
+            } elsif ($form{'linkkey'} ne '') {
+                $env{'request.linkkey'} = $form{'linkkey'};
+            }
+            if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+                &set_deeplink_login(%form);
             }
             $r->internal_redirect($switchto);
         } else {
+            &Apache::loncommon::content_type($r,'text/html');
+            $r->send_http_header;
             $r->print(&noswitch());
         }
         return OK;
@@ -697,7 +845,7 @@ sub handler {
                          \%form);
                 my $switchto = '/adm/switchserver?otherserver='.$otherserver;
                 if (($firsturl) && ($firsturl ne '/adm/switchserver') && ($firsturl ne '/adm/roles')) {
-                    $switchto .= '&origurl='.$firsturl; #should escape
+                    $switchto .= '&origurl='.$firsturl;
                 }
                 if ($form{'role'}) {
                     $switchto .= '&role='.$form{'role'};
@@ -707,15 +855,21 @@ sub handler {
                 }
                 if ($form{'linkprot'}) {
                     $env{'request.linkprot'} = $form{'linkprot'};
-                } elsif ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
-                    if ($form{'linkkey'}) {
-                        $env{'request.linkkey'} = $form{'linkkey'};
+                    foreach my $item ('linkprotuser','linkprotexit') {
+                        if ($form{$item}) {
+                            $env{'request.'.$item} = $form{$item};
+                        }
                     }
-                    $env{'request.deeplink.login'} = $form{'firsturl'};
-
+                } elsif ($form{'linkkey'} ne '') {
+                    $env{'request.linkkey'} = $form{'linkkey'};
+                }
+                if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+                    &set_deeplink_login(%form);
                 }
                 $r->internal_redirect($switchto);
             } else {
+                &Apache::loncommon::content_type($r,'text/html');
+                $r->send_http_header;
                 $r->print(&noswitch());
             }
             return OK;
@@ -736,7 +890,7 @@ sub handler {
 
 # ---------------------------------------------------------- Are we overloaded?
         if ((($userloadpercent>100.0)||($loadpercent>100.0))) {
-            my $unloaded=Apache::lonnet::spareserver($loadpercent,$userloadpercent,1,$form{'udom'});
+            my $unloaded=Apache::lonnet::spareserver($r,$loadpercent,$userloadpercent,1,$form{'udom'});
             if (!$unloaded) {
                 ($unloaded) = &Apache::lonnet::choose_server($form{'udom'});
             }
@@ -745,11 +899,11 @@ sub handler {
                          undef,\%form);
                 if ($form{'linkprot'}) {
                     $env{'request.linkprot'} = $form{'linkprot'};
-                } elsif ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
-                    if ($form{'linkkey'}) {
-                        $env{'request.linkkey'} = $form{'linkkey'};
-                    }
-                    $env{'request.deeplink.login'} = $form{'firsturl'};
+                } elsif ($form{'linkkey'} ne '') {
+                    $env{'request.linkkey'} = $form{'linkkey'};
+                }
+                if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+                    &set_deeplink_login(%form);
                 }
                 $r->internal_redirect('/adm/switchserver?otherserver='.$unloaded.'&origurl='.$firsturl);
                 return OK;
@@ -759,19 +913,52 @@ sub handler {
             $form{'noloadbalance'} = $hosthere;
         }
         my $extra_env;
+        if (($hosthere) && ($sessiondata{'sessionserver'} ne '')) {
+            if ($sessiondata{'origurl'} ne '') {
+                $firsturl = $sessiondata{'origurl'};
+                $form{'firsturl'} = $sessiondata{'origurl'};
+                my @names = ('role','symb','linkprot','linkkey');
+                foreach my $item (@names) {
+                    if ($sessiondata{$item} ne '') {
+                        $form{$item} = $sessiondata{$item};
+                    }
+                }
+            }
+        }
         if ($form{'linkprot'}) {
             my ($linkprotector,$uri) = split(/:/,$form{'linkprot'},2);
             if ($linkprotector) {
                 $extra_env = {'user.linkprotector' => $linkprotector,
-                              'user.linkproturi'   => $uri,};
+                              'user.linkproturi'   => $uri};
             }
-        } elsif ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
-            if ($form{'linkkey'}) {
-                $extra_env = {'user.deeplinkkey' => $form{'linkkey'},
-                              'user.keyedlinkuri' => $form{'firsturl'},
-                              'request.deeplink.login' => $form{'firsturl'}};
-            } else {
-                $extra_env = {'request.deeplink.login' => $form{'firsturl'}};
+        } elsif ($form{'linkkey'} ne '') {
+            $extra_env = {'user.deeplinkkey'  => $form{'linkkey'},
+                          'user.keyedlinkuri' => $form{'firsturl'}};
+        }
+        if ($form{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+            &set_deeplink_login(%form);
+            if ($form{'linkprot'}) {
+                if (ref($extra_env) eq 'HASH') {
+                    %{$extra_env} = ( %{$extra_env}, 'request.linkprot' => $form{'linkprot'} );
+                } else {
+                    $extra_env = {'request.linkprot' => $form{'linkprot'}};
+                }
+                if ($form{'linkprotexit'}) {
+                    $extra_env->{'request.linkprotexit'} = $form{'linkprotexit'};
+                }
+            } elsif ($form{'linkkey'} ne '') {
+                if (ref($extra_env) eq 'HASH') {
+                    %{$extra_env} = ( %{$extra_env}, 'request.linkkey' => $form{'linkkey'} );
+                } else {
+                    $extra_env = {'request.linkkey' => $form{'linkkey'}};
+                }
+            }
+            if ($env{'request.deeplink.login'}) {
+                if (ref($extra_env) eq 'HASH') {
+                    %{$extra_env} = ( %{$extra_env}, 'request.deeplink.login' => $form{'firsturl'} );
+                } else {
+                    $extra_env = {'request.deeplink.login' => $form{'firsturl'}};
+                }
             }
         }
         &success($r,$form{'uname'},$form{'udom'},$authhost,$firsturl,$extra_env,
@@ -780,6 +967,98 @@ sub handler {
     }
 }
 
+sub get_form_items {
+    my ($r) = @_;
+    my $buffer;
+    if ($r->header_in('Content-length') > 0) {
+        $r->read($buffer,$r->header_in('Content-length'),0);
+    }
+    my %form;
+    foreach my $pair (split(/&/,$buffer)) {
+       my ($name,$value) = split(/=/,$pair);
+       $value =~ tr/+/ /;
+       $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
+       $form{$name}=$value;
+    }
+    return %form;
+}
+
+sub set_deeplink_login {
+    my (%form) = @_;
+    my $disallow;
+    if ($form{'firsturl'} =~ m{^/tiny/($match_domain)/\w+$}) {
+        my $cdom = $1;
+        my ($cnum,$symb) = &Apache::loncommon::symb_from_tinyurl($form{'firsturl'},'',$cdom);
+        if ($symb) {
+            if ($env{'request.course.id'} eq $cdom.'_'.$cnum) {
+                my $deeplink;
+                if ($symb =~ /\.(page|sequence)$/) {
+                    my $mapname = &Apache::lonnet::deversion((&Apache::lonnet::decode_symb($symb))[2]);
+                    my $navmap = Apache::lonnavmaps::navmap->new();
+                    if (ref($navmap)) {
+                        $deeplink = $navmap->get_mapparam(undef,$mapname,'0.deeplink');
+                    }
+                } else {
+                    $deeplink = &Apache::lonnet::EXT('resource.0.deeplink',$symb);
+                }
+                if ($deeplink ne '') {
+                    my ($state,$others,$listed,$scope,$protect) = split(/,/,$deeplink);
+                    if (($protect ne 'none') && ($protect ne '')) {
+                        my ($acctype,$item) = split(/:/,$protect);
+                        if ($acctype =~ /lti(c|d)$/) {
+                            unless ($form{'linkprot'} eq $item.$1.':'.$env{'request.deeplink.login'}) {
+                                $disallow = 1;
+                            }
+                        } elsif ($acctype eq 'key') {
+                            unless ($form{'linkkey'} eq $item) {
+                                $disallow = 1;
+                            }
+                        }
+                    }
+                }
+                unless ($disallow) {
+                    $env{'request.deeplink.login'} = $form{'firsturl'};
+                }
+            } else {
+                $env{'request.deeplink.login'} = $form{'firsturl'};
+            }
+        }
+    }
+    if ($disallow) {
+        return;
+    }
+    return 'ok';
+}
+
+sub set_retry_token {
+    my ($form,$lonhost,$querystr) = @_;
+    if (ref($form) eq 'HASH') {
+        my ($firsturl,$token,$extras,@names);
+        @names = ('role','symb','linkprotuser','linkprotexit','linkprot','linkkey','iptoken');
+        foreach my $name (@names) {
+            if ($form->{$name} ne '') {
+                $extras .= '&'.$name.'='.&escape($form->{$name});
+                last if ($name eq 'linkprot');
+            }
+        }
+        my $firsturl = $form->{'firsturl'};
+        if (($firsturl ne '') || ($extras ne '')) {
+            $extras .= ':retry';
+            $token = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
+                                            $extras,$lonhost);
+            if (($token eq 'con_lost') || ($token eq 'no_such_host')) {
+                return 'fail';
+            } else {
+                if (ref($querystr)) {
+                    $$querystr = 'retry='.$token;
+                }
+                return 'ok';
+            }
+        }
+    }
+    return;
+}
+
 sub check_can_host {
     my ($r,$form,$authhost,$domdesc) = @_;
     return unless (ref($form) eq 'HASH');
@@ -820,6 +1099,8 @@ sub check_can_host {
             if ($login_host ne '') {
                 my $protocol = $Apache::lonnet::protocol{$login_host};
                 $protocol = 'http' if ($protocol ne 'https');
+                my $alias = &Apache::lonnet::use_proxy_alias($r,$login_host);
+                $hostname = $alias if ($alias ne '');
                 my $newurl = $protocol.'://'.$hostname.'/adm/createaccount';
 #FIXME Should preserve where user was going and linkprot by setting ltoken at $login_host
                 $r->print(&Apache::loncommon::start_page('Create a user account in LON-CAPA').
@@ -838,13 +1119,13 @@ sub check_can_host {
         } else {
             &success($r,$form->{'uname'},$udom,$authhost,'noredirect',undef,
                      $form);
+            if ($form->{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+                $env{'request.deeplink.login'} = $form->{'firsturl'};
+            }
             if ($form->{'linkprot'}) {
                 $env{'request.linkprot'} = $form->{'linkprot'};
-            } elsif ($form->{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
-                if ($form->{'linkkey'}) {
-                    $env{'request.linkkey'} = $form->{'linkkey'};
-                }
-                $env{'request.deeplink.login'} = $form->{'firsturl'};
+            } elsif ($form->{'linkkey'} ne '') {
+                $env{'request.linkkey'} = $form->{'linkkey'};
             }
             my ($otherserver) = &Apache::lonnet::choose_server($udom);
             $r->internal_redirect('/adm/switchserver?otherserver='.$otherserver);
@@ -889,6 +1170,20 @@ sub loginhelpdisplay {
     return;
 }
 
+sub alternate_unames_check {
+    my ($uname,$udom) = @_;
+    my %possunames;
+    my %domdefs = &Apache::lonnet::get_domain_defaults($udom);
+    if (ref($domdefs{'unamemap_rule'}) eq 'ARRAY') { 
+        if (@{$domdefs{'unamemap_rule'}} > 0) {
+            %possunames =
+                &Apache::lonnet::inst_rulecheck($udom,$uname,undef,
+                                                'unamemap',$domdefs{'unamemap_rule'});
+        }
+    }
+    return %possunames;
+}
+
 1;
 __END__