6b0f0759060bdea5837b13dea9dc58ee6654f3de
angie
  Thu Jan 24 12:28:43 2019 -0800
Changing login.acceptIdx default to false, as I should have done 2 years ago.  refs #17327

diff --git src/hg/lib/wikiLink.c src/hg/lib/wikiLink.c
index 33f27e0..fb5fa7c 100644
--- src/hg/lib/wikiLink.c
+++ src/hg/lib/wikiLink.c
@@ -240,32 +240,31 @@
 if (userName && (cookieIdx > 0 || isNotEmpty(cookieKey)))
     {
     if (isNotEmpty(cookieSalt))
         {
         if (cookieKey && sameString(makeUserKey(userName, cookieSalt), cookieKey))
             {
             authenticated = TRUE;
             }
         else if (cfgOptionBooleanDefault(CFG_LOGIN_ACCEPT_ANY_ID, FALSE))
             {
             // Don't perform any checks on the incoming cookie.
             authenticated = TRUE;
             // Replace with improved cookie, in preparation for when better security is enabled.
             sendNewCookies(userName, cookieSalt);
             }
-// TODO: change default to FALSE in v344 Jan 2017:
-        else if (cfgOptionBooleanDefault(CFG_LOGIN_ACCEPT_IDX, TRUE) &&
+        else if (cfgOptionBooleanDefault(CFG_LOGIN_ACCEPT_IDX, FALSE) &&
                  idxIsValid(userName, cookieIdx))
             {
             // Compare cookieIdx vs. gbMembers.idx (if login is local) -- a little more secure
             // than before, but might cause some trouble if a userName has different idx values
             // on different systems (e.g. RR vs genome-preview/genome-text).
             authenticated = TRUE;
             // Replace with improved cookie, in preparation for when better security is enabled.
             sendNewCookies(userName, cookieSalt);
             }
         }
     else
         {
         // hg.conf doesn't specify login.cookieSalt -- no checking.
         authenticated = TRUE;
         }