fba55c7cdca98634dd406e5a0b58ce09f98593d3
angie
  Mon Dec 12 16:46:03 2016 -0800
Having absolutely no new security is a bummer, so for now, by default, check incoming cookie vs. gbMembers.idx, but add a setting login.acceptAnyId that we can enable in case there is a problem with checking idx.
Also add a new setting login.acceptIdx that can be disabled (along with login.acceptAnyId) in order to absolutely require a login.cookieSalt match for better security.
refs #17327

diff --git src/hg/inc/wikiLink.h src/hg/inc/wikiLink.h
index 761addd..d29622e 100644
--- src/hg/inc/wikiLink.h
+++ src/hg/inc/wikiLink.h
@@ -4,30 +4,32 @@
  * See README in this or parent directory for licensing information. */
 
 #ifndef WIKILINK_H
 #define WIKILINK_H
 
 /* hg.conf wiki parameters -- wikiLink is disabled if any are undefined. */
 #define CFG_WIKI_HOST "wiki.host"
 #define CFG_WIKI_USER_NAME_COOKIE "wiki.userNameCookie"
 #define CFG_WIKI_LOGGED_IN_COOKIE "wiki.loggedInCookie"
 #define CFG_WIKI_SESSION_COOKIE "wiki.sessionCookie"
 
 /* hg.conf login system parameter -- using non-wiki login system (hgLogin) if defined */
 #define CFG_LOGIN_SYSTEM_NAME "login.systemName"
 #define CFG_LOGIN_USE_HTTPS "login.https"
 #define CFG_LOGIN_COOKIE_SALT "login.cookieSalt"
+#define CFG_LOGIN_ACCEPT_ANY_ID "login.acceptAnyId"
+#define CFG_LOGIN_ACCEPT_IDX "login.acceptIdx"
 
 /* hg.conf central db parameters */
 #define CFG_CENTRAL_DOMAIN "central.domain"
 #define CFG_CENTRAL_COOKIE "central.cookie"
 
 char *loginSystemName();
 /* Return the wiki host specified in hg.conf, or NULL.  Allocd here. */
 
 boolean loginSystemEnabled();
 /* Return TRUE if login.systemName  parameter is defined in hg.conf . */
 
 boolean loginUseHttps();
 /* Return TRUE unless https is disabled in hg.conf. */
 
 struct slName *loginLoginUser(char *userName, uint idx);