Index: openacs-4/packages/acs-core-docs/www/security-notes.html
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/security-notes.html,v
diff -u -r1.49 -r1.50
--- openacs-4/packages/acs-core-docs/www/security-notes.html	7 Aug 2017 23:47:52 -0000	1.49
+++ openacs-4/packages/acs-core-docs/www/security-notes.html	8 Nov 2017 09:42:12 -0000	1.50
@@ -1,29 +1,48 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 'http://www.w3.org/TR/html4/loose.dtd"'>
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Security Notes</title><link rel="stylesheet" type="text/css" href="openacs.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="index.html" title="OpenACS Core Documentation"><link rel="up" href="kernel-doc.html" title="Chapter 15. Kernel Documentation"><link rel="previous" href="security-design.html" title="Security Design"><link rel="next" href="rp-requirements.html" title="Request Processor Requirements"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><a href="http://openacs.org"><img src="/doc/images/alex.jpg" style="border:0" alt="Alex logo"></a><table width="100%" summary="Navigation header" border="0"><tr><td width="20%" align="left"><a accesskey="p" href="security-design.html">Prev</a> </td><th width="60%" align="center">Chapter 15. Kernel Documentation</th><td width="20%" align="right"> <a accesskey="n" href="rp-requirements.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-notes"></a>Security Notes</h2></div></div></div><div class="authorblurb"><p>By Richard Li</p>
-          OpenACS docs are written by the named authors, and may be edited
-          by OpenACS documentation staff.
-        </div><p>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Security Notes</title><link rel="stylesheet" type="text/css" href="openacs.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.2"><link rel="home" href="index.html" title="OpenACS Core Documentation"><link rel="up" href="kernel-doc.html" title="Chapter 15. Kernel Documentation"><link rel="previous" href="security-design.html" title="Security Design"><link rel="next" href="rp-requirements.html" title="Request Processor Requirements"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><a href="http://openacs.org"><img src="/doc/images/alex.jpg" style="border:0" alt="Alex logo"></a><table width="100%" summary="Navigation header" border="0"><tr><td width="20%" align="left"><a accesskey="p" href="security-design.html">Prev</a> </td><th width="60%" align="center">Chapter 15. Kernel Documentation</th><td width="20%" align="right"> <a accesskey="n" href="rp-requirements.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-notes"></a>Security Notes</h2></div></div></div>
+
+
+
+<span style="color: red">&lt;authorblurb&gt;
+<p>By Richard Li</p>
+&lt;/authorblurb&gt;</span>
+
+<p>
 The security system was designed for security. Thus, decisions requiring
 trade-offs between ease-of-use and security tend to result in a system that
 may not be as easy to use but is more secure. 
-</p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="security-notes-https-sessions"></a>HTTPS and the sessions system</h3></div></div></div><p>
+</p>
 
+
+
+<div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="security-notes-https-sessions"></a>HTTPS and the sessions system</h3></div></div></div>
+
+<p>
+
 If a user switches to HTTPS after logging into the system via HTTP, the user
 must obtain a secure token. To insure security, the <span class="emphasis"><em>only way</em></span> to
 obtain a secure token in the security system is to authenticate yourself via
 password over an HTTPS connection. Thus, users may need to log on again to a
 system when switching from HTTP to HTTPS. Note that logging on to a system
 via HTTPS gives the user both insecure and secure authentication tokens, so
 switching from HTTPS to HTTP does not require reauthentication. 
-</p><p>This method of authentication is important in order to establish, in as
+</p>
+
+<p>This method of authentication is important in order to establish, in as
 strong a manner as possible, the identity of the owner of the secure token.
 In order for the security system to offer stronger guarantees of someone who
 issues a secure token, the method of authentication must be as strong as the
-method of transmission.</p><p>If a developer truly does not want such a level of protection, this system
+method of transmission.</p>
+
+<p>If a developer truly does not want such a level of protection, this system
 can be disabled via source code modification only. This can be accomplished
 by commenting out the following lines in the <code class="computeroutput">sec_handler</code>
-procedure defined in <code class="computeroutput">security-procs.tcl</code>:</p><pre class="programlisting">
+procedure defined in <code class="computeroutput">security-procs.tcl</code>:</p>
 
+ 
+
+<pre class="programlisting">
+
     if { [ad_secure_conn_p] &amp;&amp; ![ad_login_page] } {
         set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
         
@@ -33,10 +52,17 @@
         }
     }
 
-</pre><p>The source code must also be edited if the user login pages have been
+</pre>
+
+
+<p>The source code must also be edited if the user login pages have been
 moved out of an OpenACS system. This information is contained by the
-<code class="computeroutput">ad_login_page</code> procedure in <code class="computeroutput">security-procs.tcl</code>:</p><pre class="programlisting">
+<code class="computeroutput">ad_login_page</code> procedure in <code class="computeroutput">security-procs.tcl</code>:</p>
 
+ 
+
+<pre class="programlisting">
+
 ad_proc -private ad_login_page {} {
     
     Returns 1 if the page is used for logging in, 0 otherwise. 
@@ -51,8 +77,16 @@
     return 0
 }
 
-</pre><p>
+</pre>
+
+<p>
 The set of string match expressions in the procedure above should be extended
 appropriately for other registration pages. This procedure does not use
 <code class="computeroutput">ad_parameter</code> or regular expressions for performance reasons, as
-it is called by the request processor. </p><div class="cvstag">($Id$)</div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="security-design.html">Prev</a> </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right"> <a accesskey="n" href="rp-requirements.html">Next</a></td></tr><tr><td width="40%" align="left">Security Design </td><td width="20%" align="center"><a accesskey="u" href="kernel-doc.html">Up</a></td><td width="40%" align="right"> Request Processor Requirements</td></tr></table><hr><address><a href="mailto:docs@openacs.org">docs@openacs.org</a></address></div><a name="comments"></a></body></html>
+it is called by the request processor. </p>
+
+
+
+<p><span class="cvstag">($Id$)</span></p>
+</div>
+</div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="security-design.html">Prev</a> </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right"> <a accesskey="n" href="rp-requirements.html">Next</a></td></tr><tr><td width="40%" align="left">Security Design </td><td width="20%" align="center"><a accesskey="u" href="kernel-doc.html">Up</a></td><td width="40%" align="right"> Request Processor Requirements</td></tr></table><hr><address><a href="mailto:docs@openacs.org">docs@openacs.org</a></address></div><a name="comments"></a></body></html>