105193d3bc75ad4c8c5570cbd66286300c322bd3
angie
  Mon Jul 25 16:36:11 2016 -0700
Always use https for hgLogin, even if returning to hgSession with http.  refs #17778

diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c
index 95c3630..85054df 100644
--- src/hg/hgLogin/hgLogin.c
+++ src/hg/hgLogin/hgLogin.c
@@ -351,34 +351,34 @@
     "\n"
     "window.setTimeout(afterDelay, %d);\n"
     "function afterDelay() {\n"
     "window.location =\"%s\";\n}"
     "\n//-->\n"
     "</script>", delay, returnURL);
 }
 
 static void redirectToLoginPage(char *paramStr)
 /* redirect to hgLogin page with given parameter string */
 {
 char *hgLoginHost = wikiLinkHost();
 char *cgiDir = cgiScriptDirUrl();
 hPrintf("<script  language=\"JavaScript\">\n"
     "<!-- \n"
-    "window.location =\"http%s://%s%shgLogin?%s\""
+    "window.location =\"https://%s%shgLogin?%s\""
     "//-->"
     "\n"
-    "</script>", cgiAppendSForHttps(), hgLoginHost, cgiDir, paramStr);
+    "</script>", hgLoginHost, cgiDir, paramStr);
 }
     
 void  displayActMailSuccess()
 /* display Activate mail success box */
 {
 char *returnURL = getReturnToURL(); 
 hPrintf(
     "<div id=\"confirmationBox\" class=\"centeredContainer formBox\">"
     "\n"
     "<h2>%s</h2>", brwName);
 hPrintf(
     "<p id=\"confirmationMsg\" class=\"confirmationTxt\">A confirmation email has been sent to you. \n"
     "Please click the confirmation link in the email to activate your account.</p>"
     "\n"
     "<p><a href=\"%s\">Return</a></p>", returnURL);
@@ -467,34 +467,34 @@
 if (result == -1)
     {
     hPrintf( 
         "<h2>%s</h2>", brwName);
     hPrintf(
         "<p align=\"left\">"
         "</p>"
         "<h3>Error emailing %s to: %s</h3>"
         "Click <a href=hgLogin?hgLogin.do.displayAccHelpPage=1>here</a> to return.<br>", 
         obj, email );
     }
 else
     {
     hPrintf("<script  language=\"JavaScript\">\n"
         "<!-- \n"
-        "window.location =\"http%s://%s%shgLogin?hgLogin.do.displayMailSuccess=1\""
+        "window.location =\"https://%s%shgLogin?hgLogin.do.displayMailSuccess=1\""
         "//-->"
         "\n"
-        "</script>", cgiAppendSForHttps(), hgLoginHost, cgiDir);
+        "</script>", hgLoginHost, cgiDir);
     }
 }
 
 void mailUsername(char *email, char *users)
 /* send user name list to the email address */
 {
 char subject[256];
 char msg[4096];
 char *remoteAddr=getenv("REMOTE_ADDR");
 
 safef(subject, sizeof(subject),"Your user name at the %s", brwName);
 safef(msg, sizeof(msg), 
     "  Someone (probably you, from IP address %s) has requested user name(s) associated with this email address at the %s: \n\n  %s\n\n%s\n%s", 
    remoteAddr, brwName, users, signature, returnAddr);
 sendMailOut(email, subject, msg);
@@ -535,34 +535,34 @@
 if (result == -1)
     {
     hPrintf(
         "<h2>%s</h2>", brwName);
     hPrintf(
         "<p align=\"left\">"
         "</p>"
         "<h3>Error emailing %s to: %s</h3>"
         "Click <a href=hgLogin?hgLogin.do.displayAccHelpPage=1>here</a> to return.<br>",
         obj, email );
     }
 else
     {
     hPrintf("<script  language=\"JavaScript\">\n"
         "<!-- \n"
-        "window.location =\"http%s://%s%shgLogin?hgLogin.do.displayMailSuccessPwd=1&user=%s\""
+        "window.location =\"https://%s%shgLogin?hgLogin.do.displayMailSuccessPwd=1&user=%s\""
         "//-->"
         "\n"
-        "</script>", cgiAppendSForHttps(), hgLoginHost, cgiDir, username);
+        "</script>", hgLoginHost, cgiDir, username);
     }
 }
 
 void sendNewPwdMail(char *username, char *email, char *password)
 /* send user new password */
 {
 char subject[256];
 char msg[4096];
 char *remoteAddr=getenv("REMOTE_ADDR");
 
 safef(subject, sizeof(subject),"New temporary password for your account at the %s", brwName);
 safef(msg, sizeof(msg),
     "  Someone (probably you, from IP address %s) requested a new password for the %s (%s). A temporary password for user \"%s\" has been created and was set to \"%s\". If this was your intent, you will need to log in and choose a new password now. Your temporary password will expire in 7 days.\n\n  If someone else made this request, or if you have remembered your password, and you no longer wish to change it, you may ignore this message and continue using your old password.\n\n%s\n%s",
     remoteAddr, brwName, brwAddr, username, password, signature, returnAddr);
 sendPwdMailOut(email, subject, msg, username);
@@ -669,32 +669,32 @@
 cartRemove(cart, "hgLogin_changeRequired");
 return;
 }
 
 void sendActivateMail(char *email, char *username, char *encToken)
 /* Send activation mail with token to user*/
 {
 char subject[256];
 char msg[4096];
 char activateURL[256];
 char *hgLoginHost = wikiLinkHost();
 char *remoteAddr=getenv("REMOTE_ADDR");
 char *cgiDir = cgiScriptDirUrl();
 
 safef(activateURL, sizeof(activateURL),
-    "http%s://%s%shgLogin?hgLogin.do.activateAccount=1&user=%s&token=%s\n",
-    cgiAppendSForHttps(), hgLoginHost, cgiDir,
+    "https://%s%shgLogin?hgLogin.do.activateAccount=1&user=%s&token=%s\n",
+    hgLoginHost, cgiDir,
     cgiEncode(username),
     cgiEncode(encToken));
 safef(subject, sizeof(subject),"%s account e-mail address confirmation", brwName);
 safef(msg, sizeof(msg),
     "  Someone (probably you, from IP address %s) has requested an account %s with this e-mail address on the %s.\nTo confirm that this account really does belong to you on the %s, open this link in your browser:\n\n%s\n\nIf this is *not* you, do not follow the link. This confirmation code will expire in 7 days.\n\n%s\n%s", 
      remoteAddr, username, brwName, brwName, activateURL, signature, returnAddr);
 sendActMailOut(email, subject, msg);
 }
 
 void setupNewAccount(struct sqlConnection *conn, char *email, char *username)
 /* Set up  new user account and send activation mail to user */
 {
 char query[256];
 char *token = generateRandomPassword();
 char *tokenMD5 = generateTokenMD5(token);