Index: openacs-4/packages/acs-core-docs/www/security-notes.html
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/security-notes.html,v
diff -u -r1.47 -r1.48
--- openacs-4/packages/acs-core-docs/www/security-notes.html	11 Dec 2010 23:36:32 -0000	1.47
+++ openacs-4/packages/acs-core-docs/www/security-notes.html	27 Oct 2014 16:39:25 -0000	1.48
@@ -1,12 +1,12 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 'http://www.w3.org/TR/html4/loose.dtd"'>
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Security Notes</title><link rel="stylesheet" type="text/css" href="openacs.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.0"><link rel="home" href="index.html" title="OpenACS Core Documentation"><link rel="up" href="kernel-doc.html" title="Chapter 14. Kernel Documentation"><link rel="previous" href="security-design.html" title="Security Design"><link rel="next" href="rp-requirements.html" title="Request Processor Requirements"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><a href="http://openacs.org"><img src="/doc/images/alex.jpg" style="border:0" alt="Alex logo"></a><table width="100%" summary="Navigation header" border="0"><tr><td width="20%" align="left"><a accesskey="p" href="security-design.html">Prev</a> </td><th width="60%" align="center">Chapter 14. Kernel Documentation</th><td width="20%" align="right"> <a accesskey="n" href="rp-requirements.html">Next</a></td></tr></table><hr></div><div class="sect1" title="Security Notes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-notes"></a>Security Notes</h2></div></div></div><div class="authorblurb"><p>By Richard Li</p>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Security Notes</title><link rel="stylesheet" type="text/css" href="openacs.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="OpenACS Core Documentation"><link rel="up" href="kernel-doc.html" title="Chapter 15. Kernel Documentation"><link rel="previous" href="security-design.html" title="Security Design"><link rel="next" href="rp-requirements.html" title="Request Processor Requirements"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><a href="http://openacs.org"><img src="/doc/images/alex.jpg" style="border:0" alt="Alex logo"></a><table width="100%" summary="Navigation header" border="0"><tr><td width="20%" align="left"><a accesskey="p" href="security-design.html">Prev</a> </td><th width="60%" align="center">Chapter 15. Kernel Documentation</th><td width="20%" align="right"> <a accesskey="n" href="rp-requirements.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-notes"></a>Security Notes</h2></div></div></div><div class="authorblurb"><p>By Richard Li</p>
           OpenACS docs are written by the named authors, and may be edited
           by OpenACS documentation staff.
         </div><p>
 The security system was designed for security. Thus, decisions requiring
 trade-offs between ease-of-use and security tend to result in a system that
 may not be as easy to use but is more secure. 
-</p><div class="sect2" title="HTTPS and the sessions system"><div class="titlepage"><div><div><h3 class="title"><a name="security-notes-https-sessions"></a>HTTPS and the sessions system</h3></div></div></div><p>
+</p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="security-notes-https-sessions"></a>HTTPS and the sessions system</h3></div></div></div><p>
 
 If a user switches to HTTPS after logging into the system via HTTP, the user
 must obtain a secure token. To insure security, the <span class="emphasis"><em>only way</em></span> to
@@ -27,7 +27,7 @@
     if { [ad_secure_conn_p] &amp;&amp; ![ad_login_page] } {
         set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
         
-        if { [empty_string_p $s_token_cookie] || [string compare $s_token_cookie [lindex [sec_get_session_info $session_id] 2]] != 0 } {
+        if { $s_token_cookie eq "" || $s_token_cookie ne [lindex [sec_get_session_info $session_id] 2]} {
         # token is incorrect or nonexistent, so we force relogin.
         ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
         }