185dbcc2ba84d6eb1301163b926ebed3177cd379
angie
  Thu May 19 04:42:20 2016 -0700
Several revisions to login cookie-checking after helpful code review by Max:

Use /dev/urandom instead of srand(clock1000()), duh.

Instead of forming cookie strings in both wikiLink.c and hgLogin.c,
form them all in wikiLink.c so they're consistent.  The wikiLink
routines now return (possibly empty) slName lists of cookie strings
to be set.

The login system uses new cookie names that default to a concatentation
of central.cookie (which needs to have one name per central database,
like hguid for RR hgcentral and hguid.genome-test for hgcentraltest)
and either optional new config params login.tokenCookie and
login.userNameCookie or central.cookie concatenated with hgLoginToken and
hgLoginUserName (because login uses the central db, so it's different for
hgwdev vs RR).  If those cookies are not set but the wiki cookies are set,
then we accept the wiki cookie values and send out the new cookies,
removing the wiki cookies the first time that happens.

The login system no longer depends on any wiki.* hg.conf settings.

refs #17336, #17327

diff --git src/hg/hgSession/hgSession.c src/hg/hgSession/hgSession.c
index de6041a..c25f4d8 100644
--- src/hg/hgSession/hgSession.c
+++ src/hg/hgSession/hgSession.c
@@ -500,31 +500,31 @@
 printf("<UL>\n");
 if (userName != NULL)
     {
     printf("<LI>Each previously saved named session appears with "
 	   "Browser and Email links.  "
            "The Email link invokes your email tool with a message "
            "containing the Genome Browser link. The Email link can "
            "be bookmarked in your web browser and/or shared with "
            "others. If you right-click and copy the Browser link, "
            "it will be the same as the Email link. However, if you "
            "click the Browser link it will take you to the Genome "
            "Browser and become a uniquely identified URL once the "
            "session loads, so that resulting link is not advised "
            "for sharing.</LI>\n");
     }
-else if (wikiLinkEnabled())
+else if (loginSystemEnabled() || wikiLinkEnabled())
     {
      printf("<LI>If you <A HREF=\"%s\">sign in</A>, you will be able " 
             " to save named sessions which will be displayed with "
             " Browser and Email links.</LI>\n",
             wikiLinkUserLoginUrl(cartSessionId(cart)));
     }
 dyStringPrintf(dyUrl, "http%s://%s%s", cgiAppendSForHttps(), cgiServerNamePort(), cgiScriptName());
 
 printf("<LI>If you have saved your settings to a local file, you can send "
        "email to others with the file as an attachment and direct them to "
        "<A HREF=\"%s\">%s</A> .</LI>\n",
        dyUrl->string, dyUrl->string);
 dyStringPrintf(dyUrl, "?hgS_doLoadUrl=submit&hgS_loadUrlName=");
 printf("<LI>If a saved settings file is available from a web server, "
        "you can send email to others with a link such as "
@@ -532,31 +532,31 @@
        "settings file, e.g. http://www.mysite.edu/~me/mySession.txt .  "
        "In this type of link, you can replace "
        "\"hgSession\" with \"hgTracks\" in order to proceed directly to "
        "the Genome Browser. For an example page using such links "
        "please see the <A HREF=\"../goldenPath/help/sessions.html\" "
        "TARGET=_BLANK>Session Gallery</A>.</LI>\n",
        dyUrl->string);
 printf("</UL>\n");
 dyStringFree(&dyUrl);
 }
 
 void doMainPage(char *userName, char *message)
 /* Login status/links and session controls. */
 {
 puts("Content-Type:text/html\n");
-if (wikiLinkEnabled())
+if (loginSystemEnabled() || wikiLinkEnabled())
     {
     if (userName)
 	welcomeUser(userName);
     else
 	offerLogin();
     if (isNotEmpty(message))
 	{
 	if (cartVarExists(cart, hgsDoSessionDetail))
 	    webNewSection("Session Details");
 	else
 	    webNewSection("Updated Session");
 	puts(message);
 	}
     showSessionControls(userName, TRUE, TRUE);
     showLinkingTemplates(userName);
@@ -1181,31 +1181,31 @@
 return dyStringCannibalize(&dyMessage);
 }
 
 
 void hgSession()
 /* hgSession - Interface with wiki login and do session saving/loading.
  * Here we set up cart and some global variables, dispatch the command,
  * and put away the cart when it is done. */
 {
 struct hash *oldVars = hashNew(10);
 
 /* Sometimes we output HTML and sometimes plain text; let each outputter
  * take care of headers instead of using a fixed cart*Shell(). */
 cart = cartAndCookieNoContent(hUserCookie(), excludeVars, oldVars);
 
-char *userName = wikiLinkEnabled() ? wikiLinkUserName() : NULL;
+char *userName = (loginSystemEnabled() || wikiLinkEnabled()) ? wikiLinkUserName() : NULL;
 
 if (cartVarExists(cart, hgsDoMainPage) || cartVarExists(cart, hgsCancel))
     doMainPage(userName, NULL);
 else if (cartVarExists(cart, hgsDoNewSession))
     {
     char *message = doNewSession(userName);
     doMainPage(userName, message);
     }
 else if (cartVarExists(cart, hgsDoOtherUser))
     {
     char *message = doOtherUser(hgsDoOtherUser);
     doMainPage(userName, message);
     }
 else if (cartVarExists(cart, hgsDoSaveLocal))
     {