--- loncom/auth/lonlogin.pm	2021/10/26 15:52:54	1.192
+++ loncom/auth/lonlogin.pm	2025/02/09 22:42:12	1.209
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Login Screen
 #
-# $Id: lonlogin.pm,v 1.192 2021/10/26 15:52:54 raeburn Exp $
+# $Id: lonlogin.pm,v 1.209 2025/02/09 22:42:12 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -49,11 +49,34 @@ sub handler {
 	(join('&',$ENV{'QUERY_STRING'},$env{'request.querystring'},
 	      $ENV{'REDIRECT_QUERY_STRING'}),
 	 ['interface','username','domain','firsturl','localpath','localres',
-	  'token','role','symb','iptoken','btoken','ltoken','linkkey','saml',
-          'sso','retry']);
+	  'token','role','symb','iptoken','btoken','ltoken','ttoken','linkkey',
+          'saml','sso','retry','display']); 
+
+# -- check if they are a migrating user
+    if (defined($env{'form.token'})) {
+        return &Apache::migrateuser::handler($r);
+    }
+
     my $lonhost = $r->dir_config('lonHostID');
-    my $linkkey;
-    if (($env{'form.sso'}) || ($env{'form.retry'})) {
+    if ($env{'form.ttoken'}) {
+        my %info = &Apache::lonnet::tmpget($env{'form.ttoken'});
+        &Apache::lonnet::tmpdel($env{'form.ttoken'});
+        if ($info{'origurl'}) {
+            $env{'form.firsturl'} = $info{'origurl'};
+        }
+        if ($info{'ltoken'}) {
+            $env{'form.ltoken'} = $info{'ltoken'};
+        } elsif ($info{'linkprot'}) {
+            $env{'form.linkprot'} = $info{'linkprot'};
+            foreach my $item ('linkprotuser','linkprotexit','linkprotpbid','linkprotpburl') {
+                if ($info{$item} ne '') {
+                    $env{'form.'.$item} = $info{$item};
+                }
+            }
+        } elsif ($info{'linkkey'} ne '') {
+            $env{'form.linkkey'} = $info{'linkkey'};
+        }
+    } elsif (($env{'form.sso'}) || ($env{'form.retry'})) {
         my $infotoken;
         if ($env{'form.sso'}) {
             $infotoken = $env{'form.sso'};
@@ -70,9 +93,6 @@ sub handler {
             &Apache::lonnet::tmpdel($infotoken);
         }
     } else {
-        if ($env{'form.linkkey'}) {
-            $linkkey = $env{'form.linkkey'};
-        }        
         if (!defined($env{'form.firsturl'})) {
             &Apache::lonacc::get_posted_cgi($r,['firsturl']);
         }
@@ -82,7 +102,7 @@ sub handler {
             }
         }
         if (($env{'form.firsturl'} =~ m{^/+tiny/+$LONCAPA::match_domain/+\w+$}) &&
-            (!$env{'form.ltoken'}) && (!$env{'form.linkkey'})) {
+            (!$env{'form.ltoken'}) && (!$env{'form.linkprot'}) && (!$env{'form.linkkey'})) {
             &Apache::lonacc::get_posted_cgi($r,['linkkey']);
         }
         if ($env{'form.firsturl'} eq '/adm/logout') {
@@ -90,11 +110,6 @@ sub handler {
         }
     }
 
-# -- check if they are a migrating user
-    if (defined($env{'form.token'})) {
-	return &Apache::migrateuser::handler($r);
-    }
-
 # For "public user" - remove any exising "public" cookie, as user really wants to log-in
     my ($handle,$lonidsdir,$expirepub,$userdom);
     $lonidsdir=$r->dir_config('lonIDsDir');
@@ -149,31 +164,58 @@ sub handler {
             $protocol = 'http' if ($protocol ne 'https');
             my $dest = '/adm/roles';
             if ($env{'form.firsturl'} ne '') {
-                if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
-                    $dest = &uri_escape_utf8($env{'form.firsturl'});
-                } else {
-                    $dest = &uri_escape($env{'form.firsturl'});
-                }
-                $dest = &HTML::Entities::encode($dest,"'");
+                $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
             }
             my %info = (
                          balcookie => $lonhost.':'.$balancer_cookie,
                        );
-            if ($env{'form.ltoken'}) {
-                my %link_info = &Apache::lonnet::tmpget($env{'form.ltoken'});
-                if ($link_info{'linkprot'}) {
-                    $info{'linkprot'} = $link_info{'linkprot'};
+            if ($env{'form.role'}) {
+                $info{'role'} = $env{'form.role'};
+            }
+            if ($env{'form.symb'}) {
+                $info{'symb'} = $env{'form.symb'};
+            }
+            if (($env{'form.firsturl'} eq '/adm/email') && ($env{'form.display'} ne '')) {
+                if ($env{'form.sso'}) {
+                    if ($env{'form.mailrecip'}) {
+                        $info{'display'} = &escape($env{'form.display'});
+                        $info{'mailrecip'} = &escape($env{'form.mailrecip'});
+                    }
+                } else {
+                    if (($env{'form.username'}) && ($env{'form.domain'})) {
+                        $info{'display'} = &escape($env{'form.display'});
+                        $info{'mailrecip'} = &escape($env{'form.username'}.':'.$env{'form.domain'});
+                    }
                 }
-                &Apache::lonnet::tmpdel($env{'form.ltoken'});
-                delete($env{'form.ltoken'});
-            } elsif ($env{'form.linkkey'}) {
-                $info{'linkkey'} = $env{'form.linkkey'};
-                delete($env{'form.linkkey'});
             }
             my $balancer_token = &Apache::lonnet::tmpput(\%info,$found_server);
-            if ($balancer_token) {
+            unless (($balancer_token eq 'con_lost') || ($balancer_token eq 'refused') ||
+                    ($balancer_token eq 'unknown_cmd') || ($balancer_token eq 'no_such_host')) {
                 $dest .=  (($dest=~/\?/)?'&amp;':'?') . 'btoken='.$balancer_token;
             }
+            if ($env{'form.firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+                my %link_info;
+                if ($env{'form.ltoken'}) {
+                    $link_info{'ltoken'} = $env{'form.ltoken'};
+                } elsif ($env{'form.linkprot'}) {
+                    $link_info{'linkprot'} = $env{'form.linkprot'};
+                    foreach my $item ('linkprotuser','linkprotexit','linkprotpbid','linkprotpburl') {
+                        if ($env{'form.'.$item} ne '') {
+                            $link_info{$item} = $env{'form.'.$item};
+                        }
+                    }
+                } elsif ($env{'form.linkkey'} ne '') {
+                    $link_info{'linkkey'} = $env{'form.linkkey'};
+                }
+                if (keys(%link_info)) {
+                    $link_info{'origurl'} = $env{'form.firsturl'};
+                    my $token = &Apache::lonnet::tmpput(\%link_info,$found_server,'link');
+                    unless (($token eq 'con_lost') || ($token eq 'refused') ||
+                            ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+                        $dest .=  (($dest=~/\?/)?'&amp;':'?') . 'ttoken='.$token;
+                    }
+                }
+            }
             unless ($found_server eq $lonhost) {
                 my $alias = &Apache::lonnet::use_proxy_alias($r,$found_server);
                 $hostname = $alias if ($alias ne '');
@@ -193,21 +235,22 @@ sub handler {
 # it a balancer cookie for an active session on this server.
 #
 
-    my ($balcookie,$linkprot,$linkkey);
+    my $balcookie;
     if ($env{'form.btoken'}) {
         my %info = &Apache::lonnet::tmpget($env{'form.btoken'});
         $balcookie = $info{'balcookie'};
-        if ($balcookie) {
-            if ($info{'linkprot'}) {
-                $linkprot = $info{'linkprot'};
-            } elsif ($info{'linkkey'}) {
-                $linkkey = $info{'linkkey'};
-            }
-        }    
         &Apache::lonnet::tmpdel($env{'form.btoken'});
         delete($env{'form.btoken'});
+        if (($env{'form.firsturl'} eq '/adm/email') &&
+            (exists($info{'display'})) && (exists($info{'mailrecip'}))) {
+            $env{'form.display'} = &unescape($info{'display'});
+            $env{'form.mailrecip'} = &unescape($info{'mailrecip'});
+        }
     }
 
+    (undef,undef,undef,my $clientmathml,my $clientunicode,undef,my $clientmobile) =
+        &Apache::loncommon::decode_user_agent($r);
+
 #
 # If browser sent an old cookie for which the session file had been removed
 # check if configuration for user's domain has a portal URL set.  If so
@@ -228,28 +271,61 @@ sub handler {
 # -------------------------------- Prevent users from attempting to login twice
     if ($handle ne '') {
         &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
+        my $args = {};
+        if ($clientunicode && !$clientmathml) {
+            $args->{'browser.unicode'} = 1;
+        }
 	my $start_page = 
-	    &Apache::loncommon::start_page('Already logged in');
+	    &Apache::loncommon::start_page('Already logged in','',$args);
 	my $end_page = 
 	    &Apache::loncommon::end_page();
         my $dest = '/adm/roles';
         if ($env{'form.firsturl'} ne '') {
-            if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
-                $dest = &uri_escape_utf8($env{'form.firsturl'});
-            } else {
-                $dest = &uri_escape($env{'form.firsturl'});
-            }
-            $dest = &HTML::Entities::encode($dest,"'");
+            $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
         }
-        if (($env{'form.ltoken'}) || ($linkprot)) {
-            unless ($linkprot) {
+        if (($env{'form.ltoken'}) || ($env{'form.linkprot'})) {
+            my ($linkprot,$linkprotuser,$linkprotexit,$linkprotpbid,$linkprotpburl);
+            if ($env{'form.ltoken'}) {
                 my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
                 $linkprot = $info{'linkprot'};
-                my $delete = &Apache::lonnet::tmpdel($env{'form.ltoken'});
-                delete($env{'form.ltoken'});
+                if ($info{'linkprotuser'} ne '') {
+                    $linkprotuser = $info{'linkprotuser'};
+                }
+                if ($info{'linkprotexit'} ne '') {
+                    $linkprotexit = $info{'linkprotexit'};
+                }
+                if ($info{'linkprotpbid'} ne '') {
+                    $linkprotpbid = $info{'linkprotpbid'};
+                }
+                if ($info{'linkprotpburl'} ne '') {
+                    $linkprotpburl = $info{'linkprotpburl'};
+                }
+            } else {
+                $linkprot = $env{'form.linkprot'};
+                $linkprotuser = $env{'form.linkprotuser'};
+                $linkprotexit = $env{'form.linkprotexit'};
+                $linkprotpbid = $env{'form.linkprotpbid'};
+                $linkprotpburl = $env{'form.linkprotpburl'}; 
             }
             if ($linkprot) {
                 my ($linkprotector,$deeplink) = split(/:/,$linkprot,2);
+                if (($deeplink =~ m{^/tiny/$match_domain/\w+$}) &&
+                    ($linkprotuser ne '') && ($linkprotuser ne $env{'user.name'}.':'.$env{'user.domain'})) {
+                    my $ip = &Apache::lonnet::get_requestor_ip();
+                    my %linkprotinfo = (
+                                          origurl => $deeplink,
+                                          linkprot => $linkprot,
+                                          linkprotuser => $linkprotuser,
+                                          linkprotexit => $linkprotexit,
+                                          linkprotpbid => $linkprotpbid,
+                                          linkprotpburl => $linkprotpburl,
+                                       );
+                    if ($env{'form.ltoken'}) {
+                        my $delete = &Apache::lonnet::tmpdel($env{'form.ltoken'});
+                    }
+                    &Apache::migrateuser::logout($r,$ip,$handle,undef,undef,\%linkprotinfo);
+                    return OK;
+                }
                 if ($env{'user.linkprotector'}) {
                     my @protectors = split(/,/,$env{'user.linkprotector'});
                     unless (grep(/^\Q$linkprotector\E$/,@protectors)) {
@@ -271,16 +347,14 @@ sub handler {
                     &Apache::lonnet::appenv({'user.linkproturi' => $deeplink});
                 }
             }
-        } elsif (($env{'form.linkkey'}) || ($linkkey)) {
+        } elsif ($env{'form.linkkey'} ne '') {
             if ($env{'form.firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
-                if ($linkkey eq '') {
-                    $linkkey = $env{'form.linkkey'};
-                }
+                my $linkkey = $env{'form.linkkey'};
                 if ($env{'user.deeplinkkey'}) {
                     my @linkkeys = split(/,/,$env{'user.deeplinkkey'});
                     unless (grep(/^\Q$linkkey\E$/,@linkkeys)) {
                         push(@linkkeys,$linkkey);
-                        &Apache::lonnet::appenv({'user.deeplinkkey' => join(',',sort(@linkkeys))});  
+                        &Apache::lonnet::appenv({'user.deeplinkkey' => join(',',sort(@linkkeys))});
                     }
                 } else {
                     &Apache::lonnet::appenv({'user.deeplinkkey' => $linkkey});
@@ -297,11 +371,27 @@ sub handler {
                 }
             }
         }
+        if ($env{'form.ltoken'}) {
+            my $delete = &Apache::lonnet::tmpdel($env{'form.ltoken'});
+        }
+        if (($env{'form.firsturl'} eq '/adm/email') && ($env{'form.display'})) {
+            if ($env{'form.mailrecip'}) {
+                if ($env{'form.mailrecip'} eq "$env{'user.name'}:$env{'user.domain'}") {
+                    $dest .= (($dest=~/\?/)?'&amp;':'?') . 'display='.&escape($env{'form.display'}).
+                                                           '&amp;mailrecip='.&escape($env{'form.mailrecip'});
+                }
+            } elsif (($env{'form.username'} eq $env{'user.name'}) && ($env{'form.domain'} eq $env{'user.domain'})) {
+                $dest .= (($dest=~/\?/)?'&amp;':'?') . 'display='.&escape($env{'form.display'}).
+                                                       '&amp;mailrecip='.&escape("$env{'user.name'}:$env{'form.domain'}");
+            }
+        }
 	$r->print(
                   $start_page
+                 .'<div role="main">'
                  .'<p class="LC_warning">'.&mt('You are already logged in!').'</p>'
                  .'<p>'.&mt('Please either [_1]continue the current session[_2] or [_3]log out[_4].',
                   '<a href="'.$dest.'">','</a>','<a href="/adm/logout">','</a>').'</p>'
+                 .'</div>' 
                  .$end_page
                  );
         return OK;
@@ -327,9 +417,6 @@ sub handler {
 # ----------------------------------------------------------- Process Interface
     $env{'form.interface'}=~s/\W//g;
 
-    (undef,undef,undef,undef,undef,undef,my $clientmobile) =
-        &Apache::loncommon::decode_user_agent($r);
-
     my $iconpath= 
 	&Apache::loncommon::lonhttpdurl($r->dir_config('lonIconsURL'));
 
@@ -337,8 +424,7 @@ sub handler {
     my $defdom = $domain;
     if ($lonhost ne '') {
         unless ($sessiondata{'sessionserver'}) {
-            my $redirect = &check_loginvia($domain,$lonhost,$lonidsdir,$balcookie,
-                                           $linkprot,$linkkey);
+            my $redirect = &check_loginvia($domain,$lonhost,$lonidsdir,$balcookie);
             if ($redirect) {
                 $r->print($redirect);
                 return OK;
@@ -422,20 +508,41 @@ sub handler {
     if ($uextkey>2147483647) { $uextkey-=4294967296; }
 
 # -------------------------------------------------------- Store away log token
-    my ($tokenextras,$tokentype);
-    my @names = ('role','symb','iptoken','ltoken','linkkey');
+    my ($tokenextras,$tokentype,$linkprot_for_login);
+    my @names = ('role','symb','iptoken','ltoken','linkprotuser','linkprotexit',
+                 'linkprot','linkkey','display','linkprotpbid','linkprotpburl');
     foreach my $name (@names) {
         if ($env{'form.'.$name} ne '') {
             if ($name eq 'ltoken') {
-                my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
+                my %info = &Apache::lonnet::tmpget($env{'form.'.$name});
                 if ($info{'linkprot'}) {
+                    $linkprot_for_login = $info{'linkprot'};
                     $tokenextras .= '&linkprot='.&escape($info{'linkprot'});
+                    foreach my $item ('linkprotuser','linkprotexit','linkprotpbid','linkprotpburl') {
+                        if ($info{$item}) {
+                            $tokenextras .= '&'.$item.'='.&escape($info{$item});
+                        }
+                    }
                     $tokentype = 'link';
                     last;
                 }
+            } elsif ($env{'form.display'} && ($env{'form.firsturl'} eq '/adm/email')) {
+                if (($env{'form.mailrecip'}) ||
+                    ($env{'form.username'} =~ /^$match_username$/) && ($env{'form.domain'} =~ /^$match_domain$/)) {
+                    $tokenextras .= '&'.$name.'='.&escape($env{'form.display'});
+                    if ($env{'form.mailrecip'}) {
+                        $tokenextras .= '&mailrecip='.&escape($env{'form.mailrecip'});
+                    } else {
+                        $tokenextras .= '&mailrecip='.&escape($env{'form.username'}.':'.$env{'form.domain'});
+                    }
+                }
             } else {
                 $tokenextras .= '&'.$name.'='.&escape($env{'form.'.$name});
-                if ($name eq 'linkkey') {
+                if (($name eq 'linkkey') || ($name eq 'linkprot')) {
+                    if ((($env{'form.retry'}) || ($env{'form.sso'})) && 
+                        (!$env{'form.ltoken'}) && ($name eq 'linkprot')) {
+                        $linkprot_for_login = $env{'form.linkprot'};
+                    }
                     $tokentype = 'link';
                 }
             }
@@ -445,7 +552,7 @@ sub handler {
         $tokenextras .= ":$tokentype";
     }
     my $logtoken=Apache::lonnet::reply(
-       'tmpput:'.$ukey.$lkey.'&'.$firsturl.$tokenextras,
+       'tmpput:'.$ukey.$lkey.'&'.&escape($firsturl).$tokenextras,
        $lonhost);
 
 # -- If we cannot talk to ourselves, or hostID does not map to a hostname
@@ -517,17 +624,34 @@ sub handler {
   .'<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">'
   .'<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>'
   .&mt('The LearningOnline Network with CAPA')
-  .'</title></head>'
+  .'</title>'
+  .'<style type="text/css">
+body {
+  background-color:"#FFFFFF";
+}
+h2 {
+  display: block;
+  font-size: 1.17em;
+  margin-top: 1em;
+  margin-bottom: 1em;
+  margin-left: 0;
+  margin-right: 0;
+  font-weight: bold;
+}
+</style></head>'
   .'<body bgcolor="#FFFFFF">'
+  .'<div role="banner">'
   .'<h1>'.&mt('The LearningOnline Network with CAPA').'</h1>'
   .'<img src="/adm/lonKaputt/lonlogo_broken.gif" alt="broken icon" align="right" />'
-  .'<h3>'.&mt('This LON-CAPA server is temporarily not available for login.').'</h3>');
+  .'</div>'
+  .'<div role="main">'
+  .'<h2>'.&mt('This LON-CAPA server is temporarily not available for login.').'</h2>');
         if ($spares) {
             $r->print('<p>'.&mt('Please attempt to login to one of the following servers:')
                      .'</p>'
                      .$spares);
         }
-        $r->print('</body>'
+        $r->print('</div></body>'
                  .'</html>'
         );
         return OK;
@@ -613,7 +737,8 @@ function enableInput() {
 ENDSCRIPT
 
     my ($lonhost_in_use,@hosts,%defaultdomconf,$saml_prefix,$saml_landing,
-        $samlssotext,$samlnonsso,$samlssoimg,$samlssoalt,$samlssourl,$samltooltip);
+        $samlssotext,$samlnonsso,$samlssoimg,$samlssoalt,$samlssourl,$samltooltip,
+        $samlwindow);
     %defaultdomconf = &Apache::loncommon::get_domainconf($defdom);
     @hosts = &Apache::lonnet::current_machine_ids();
     $lonhost_in_use = $lonhost;
@@ -634,6 +759,7 @@ ENDSCRIPT
         $samlssoalt = $defaultdomconf{$saml_prefix.'alt_'.$lonhost_in_use};
         $samlssourl = $defaultdomconf{$saml_prefix.'url_'.$lonhost_in_use};
         $samltooltip = $defaultdomconf{$saml_prefix.'title_'.$lonhost_in_use};
+        $samlwindow = $defaultdomconf{$saml_prefix.'window_'.$lonhost_in_use};
     }
     if ($saml_landing) {
        if ($samlssotext eq '') {
@@ -653,6 +779,7 @@ function toggleLClogin() {
             if (document.getElementById('LC_login_text')) {
                 document.getElementById('LC_login_text').innerHTML = '$samlnonsso';
             }
+            if ( document.client.uname ) { document.client.uname.focus(); }
             if (document.getElementById('LC_SSO_login')) {
                 document.getElementById('LC_SSO_login').style.display = 'none';
             }
@@ -708,10 +835,16 @@ ENDSAMLJS
         }
     }
 
-    $r->print(&Apache::loncommon::start_page('The LearningOnline Network with CAPA Login',$js,
-			       { 'redirect'       => [$expire,'/adm/roles'], 
-				 'add_entries' => \%add_entries,
-				 'only_body'   => 1,}));
+    my $args = {
+                 'redirect'    => [$expire,'/adm/roles'],
+                 'add_entries' => \%add_entries,
+                 'only_body'   => 1,
+               };
+    if ($clientunicode && !$clientmathml) {
+        $args->{'browser.unicode'} = 1;
+    }
+    $r->print(&Apache::loncommon::start_page('The LearningOnline Network with CAPA Login',
+                                             $js,$args));
 
 # ----------------------------------------------------------------------- Texts
 
@@ -753,8 +886,17 @@ ENDSAMLJS
    .' style="margin:0 auto; padding:10px; width:90%; height: auto; background-color:#FFFFFF;">'
 );
 
+    my $target = '_top';
+    if ($sessiondata{'linkprot'}) {
+        my ($linkprotector,$deeplink) = split(/:/,$sessiondata{'linkprot'},2);
+        if (($deeplink eq $sessiondata{'origurl'}) &&
+            (($sessiondata{'linkprotuser'} eq $sessiondata{'username'}.':'.$sessiondata{'domain'}) ||
+             ($sessiondata{'linkprotuser'} eq $sessiondata{'username'}))) {
+            $target = '_self';
+        }
+    }
     $r->print(<<ENDSERVERFORM);
-<form name="server" action="/adm/authenticate" method="post" target="_top">
+<form name="server" action="/adm/authenticate" method="post" target="$target">
    <input type="hidden" name="logtoken" value="$logtoken" />
    <input type="hidden" name="serverid" value="$lonhost" />
    <input type="hidden" name="uname" value="" />
@@ -806,18 +948,28 @@ ENDSERVERFORM
 LFORM
 
     if ($showbanner) {
+        my $alttext = &Apache::loncommon::designparm('login.alttext_img',$domain);
+        if ($alttext eq '') {
+            $alttext = 'The Learning Online Network with CAPA';
+        }
         $r->print(<<HEADER);
 <!-- The LON-CAPA Header -->
-<div style="background:$pgbg;margin:0;width:100%;">
-  <img src="$img" border="0" alt="The Learning Online Network with CAPA" class="LC_maxwidth" />
+<div style="background:$pgbg;margin:0;width:100%;" role="banner">
+  <h1 style="padding:0;margin:0">
+  <img src="$img" border="0" alt="$alttext" class="LC_maxwidth" id="lcloginbanner" />
+  </h1>
 </div>
 HEADER
+    } else {
+        $r->print('<div role="banner" class="LC_visually_hidden" tabindex="-1">'.
+                  '<h1>'.&mt('LON-CAPA Login Page').'</h1></div>');
     }
 
     my $stdauthformstyle = 'inline-block';
     my $ssoauthstyle = 'none';
+    my $sso_onclick;
     my $logintype;
-    $r->print('<div style="float:left;margin-top:0;">');
+    $r->print('<div style="float:left;margin-top:0;" role="main">');
     if ($saml_landing) {
         $ssoauthstyle = 'inline-block';
         $stdauthformstyle = 'none';
@@ -826,6 +978,8 @@ HEADER
         if ($samlssourl  ne '') {
             $ssologin = $samlssourl;
         }
+        my $ssologin_for_js = &js_escape($ssologin);
+        my $querystr_for_js;
         if (($logtoken eq 'con_lost') || ($logtoken eq 'no_such_host')) {
             my $querystring;
             if ($env{'form.firsturl'} ne '') {
@@ -846,15 +1000,44 @@ HEADER
             }
             if ($querystring ne '') {
                 $ssologin .= (($ssologin=~/\?/)?'&amp;':'?') . $querystring;
+                $querystr_for_js = &js_escape($querystring);
             }
         } elsif ($logtoken ne '') {
             $ssologin .= (($ssologin=~/\?/)?'&amp;':'?') . 'logtoken='.$logtoken;
+            $querystr_for_js = &js_escape('logtoken='.$logtoken);
         }
         my $ssohref;
+        if ($samlwindow) {
+            $sso_onclick = <<"ENDJS";
+if (document.getElementById('LC_sso_login_link')) {
+    var ssoelem = document.getElementById('LC_sso_login_link')
+    ssoelem.addEventListener('click',samlWinFunction,false);
+    var windows = {};
+    function samlWinFunction(evt) {
+        evt.preventDefault();
+        var url = '$ssologin_for_js';
+        var name = 'lcssowin';
+        var querystr = '$querystr_for_js';
+        if (querystr) {
+            url += '?'+querystr+'&lcssowin=1';
+        } else {
+            url += '?lcssowin=1';
+        }
+        if ((typeof windows[name] !== 'undefined') && (!windows[name].closed)) {
+            windows[name].close();
+        }
+        windows[name]=window.open(url,name,'width=350,height=600');
+        windows[name].focus();
+        return false;
+    }
+}
+ENDJS
+        }
         if ($samlssoimg ne '') {
-            $ssohref = '<a href="'.$ssologin.'" title="'.$samltooltip.'"><img src="'.$samlssoimg.'" alt="'.$samlssoalt.'" /></a>';
+            $ssohref = '<a href="'.$ssologin.'" title="'.$samltooltip.'" id="LC_sso_login_link">'.
+                       '<img src="'.$samlssoimg.'" alt="'.$samlssoalt.'" id="lcssobutton" /></a>';
         } else {
-            $ssohref = '<a href="'.$ssologin.'">'.$samlssotext.'</a>';
+            $ssohref = '<a href="'.$ssologin.'" id="LC_sso_login_link">'.$samlssotext.'</a>';
         }
         if (($env{'form.saml'} eq 'no') ||
             (($env{'form.username'} ne '') && ($env{'form.domain'} ne ''))) {
@@ -886,6 +1069,46 @@ ENDSAML
             delete($env{'form.ltoken'});
         }
     }
+    my $in_frame_js;
+    if ($linkprot_for_login) {
+        my ($linkprotector,$linkproturi) = split(/:/,$linkprot_for_login,2);
+        if (($linkprotector =~ /^\d+(c|d)$/) && ($linkproturi =~ m{^/+tiny/+$LONCAPA::match_domain/+\w+$})) {
+            my $set_target;
+            if (($env{'form.retry'}) || ($env{'form.sso'})) {
+                if ($linkproturi eq $env{'form.firsturl'}) {
+                    $set_target = "    document.server.target = '_self';";
+                }
+            } else {
+                $set_target = <<ENDTARG;
+    var linkproturi = '$linkproturi';
+    var path = document.location.pathname.replace( new RegExp('^/adm/launch'),'');
+    if (linkproturi == path) {
+        document.server.target = '_self';
+    }
+ENDTARG
+            }
+            $in_frame_js = <<ENDJS;
+<script type="text/javascript">
+// <![CDATA[
+if ((window.self !== window.top) && (document.server.target != '_self')) {
+    $set_target
+    $sso_onclick
+}
+// ]]>
+</script>
+ENDJS
+        }
+    } elsif ($samlwindow) {
+        $in_frame_js = <<ENDJS;
+<script type="text/javascript">
+// <![CDATA[
+if ((window.self !== window.top) && (document.server.target != '_self')) {
+    $sso_onclick
+}
+// ]]>
+</script>
+ENDJS
+    }
 
     $r->print(<<ENDLOGIN);
 <div style="display:$stdauthformstyle;" id="LC_standard_login">
@@ -907,29 +1130,30 @@ ENDSAML
 ENDLOGIN
     $r->print('</div><div>'."\n");
     if ($showmainlogo) {
-        $r->print(' <img src="'.$logo.'" alt="" class="LC_maxwidth" />'."\n");
+        my $alttext = &Apache::loncommon::designparm('login.alttext_logo',$domain); 
+        $r->print(' <img src="'.$logo.'" alt="'.$alttext.'" class="LC_maxwidth" id="lcloginmainlogo" />'."\n");
     }
 $r->print(<<ENDTOP);
 $announcements
 </div>
 <hr style="clear:both;" />
 ENDTOP
-    my ($domainrow,$serverrow,$loadrow,$userloadrow,$versionrow);
+    my ($domainrow,$serverrow,$loadrow,$userloadrow,$versioninfo);
     $domainrow = <<"END";
       <tr>
-       <td  align="left" valign="top">
+       <th align="left" valign="top">
         <small><b>$lt{'dom'}:&nbsp;</b></small>
-       </td>
-       <td  align="left" valign="top">
+       </th>
+       <th align="left" valign="top">
         <small><tt>&nbsp;$domain</tt></small>
        </td>
       </tr>
 END
     $serverrow = <<"END";
       <tr>
-       <td  align="left" valign="top">
+       <th align="left" valign="top">
         <small><b>$lt{'serv'}:&nbsp;</b></small>
-       </td>
+       </th>
        <td align="left" valign="top">
         <small><tt>&nbsp;$lonhost ($role)</tt></small>
        </td>
@@ -938,9 +1162,9 @@ END
     if ($loadlim) {
         $loadrow = <<"END";
       <tr>
-       <td align="left" valign="top">
+       <th align="left" valign="top">
         <small><b>$lt{'load'}:&nbsp;</b></small>
-       </td>
+       </th>
        <td align="left" valign="top">
         <small><tt>&nbsp;$loadpercent $lt{'perc'}</tt></small>
        </td>
@@ -950,9 +1174,9 @@ END
     if ($uloadlim) {
         $userloadrow = <<"END";
       <tr>
-       <td align="left" valign="top">
+       <th align="left" valign="top">
         <small><b>$lt{'userload'}:&nbsp;</b></small>
-       </td>
+       </th>
        <td align="left" valign="top">
         <small><tt>&nbsp;$userloadpercent $lt{'perc'}</tt></small>
        </td>
@@ -960,31 +1184,28 @@ END
 END
     }
     if (($version ne '') && ($version ne '<!-- VERSION -->')) {
-        $versionrow = <<"END";
-      <tr>
-       <td colspan="2" align="left">
-        <small>$version</small>
-       </td>
-      </tr>
-END
+        $versioninfo = "<small>$version</small>";
     }
 
     $r->print(<<ENDDOCUMENT);
+    <div role="contentinfo" style="padding:0;clear:both;margin:0;border:0">
     <div style="float: left;">
      <table border="0" cellspacing="0" cellpadding="0">
 $domainrow
 $serverrow
 $loadrow    
 $userloadrow
-$versionrow
      </table>
+    $versioninfo
     </div>
     <div style="float: right;">
     $domainlogo
     </div>
+    </div>
     <br style="clear:both;" />
  </div>
 
+$in_frame_js
 <script type="text/javascript">
 // <![CDATA[
 // the if prevents the script error if the browser can not handle this
@@ -1000,7 +1221,7 @@ ENDDOCUMENT
 }
 
 sub check_loginvia {
-    my ($domain,$lonhost,$lonidsdir,$balcookie,$linkprot,$linkkey) = @_;
+    my ($domain,$lonhost,$lonidsdir,$balcookie) = @_;
     if ($domain eq '' || $lonhost eq '' || $lonidsdir eq '') {
         return;
     }
@@ -1060,7 +1281,7 @@ sub check_loginvia {
                             }
                         }
                     }
-                    $output = &redirect_page($newhost,$path,$linkprot,$linkkey);
+                    $output = &redirect_page($newhost,$path);
                 }
             }
         }
@@ -1069,7 +1290,7 @@ sub check_loginvia {
 }
 
 sub redirect_page {
-    my ($desthost,$path,$linkprot,$linkkey) = @_;
+    my ($desthost,$path) = @_;
     my $hostname = &Apache::lonnet::hostname($desthost);
     my $protocol = $Apache::lonnet::protocol{$desthost};
     $protocol = 'http' if ($protocol ne 'https');
@@ -1077,26 +1298,60 @@ sub redirect_page {
         $path = '/'.$path;
     }
     my $url = $protocol.'://'.$hostname.$path;
-    if ($env{'form.firsturl'} ne '') {
+    my $args = {};
+    if ($env{'form.firsturl'} =~ m{^/tiny/$match_domain/\w+$}) {
+        $url = $protocol.'://'.$hostname.$env{'form.firsturl'};
+        if (($env{'form.ltoken'}) || ($env{'form.linkprot'} ne '') ||
+            ($env{'form.linkkey'} ne '')) {
+            my %link_info;
+            if ($env{'form.ltoken'}) {
+                %link_info = &Apache::lonnet::tmpget($env{'form.ltoken'});
+                &Apache::lonnet::tmpdel($env{'form.ltoken'});
+                $args->{'only_body'} = 1;
+            } elsif ($env{'form.linkprot'}) {
+                $link_info{'linkprot'} = $env{'form.linkprot'};
+                foreach my $item ('linkprotuser','linkprotexit','linkprotpbid','linkprotpburl') {
+                    if ($env{'form.'.$item}) {
+                        $link_info{$item} = $env{'form.'.$item};
+                    }
+                }
+                $args->{'only_body'} = 1;
+            } elsif ($env{'form.linkkey'} ne '') {
+                $link_info{'linkkey'} = $env{'form.linkkey'};
+            }
+            my $token = &Apache::lonnet::tmpput(\%link_info,$desthost,'link');
+            unless (($token eq 'con_lost') || ($token eq 'refused') ||
+                    ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+                $url .= '?ltoken='.$token;
+            }
+        }
+    } else {
         my $querystring;
-        if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
-            $querystring = &uri_escape_utf8($env{'form.firsturl'});
-        } else {
-            $querystring = &uri_escape($env{'form.firsturl'});
+        if ($env{'form.firsturl'} ne '') {
+            if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                $querystring = &uri_escape_utf8($env{'form.firsturl'});
+            } else {
+                $querystring = &uri_escape($env{'form.firsturl'});
+            }
+            $querystring = &HTML::Entities::encode($querystring,"'");
+            $querystring = '?firsturl='.$querystring;
         }
-        $querystring = &HTML::Entities::encode($querystring,"'");
-        $url .='?firsturl='.$querystring;
-    }
-    if ($linkprot) {
-        my $ltoken = &Apache::lonnet::tmpput({linkprot => $linkprot},$desthost);
-        if ($ltoken) {
-            $url .= (($url =~ /\?/) ? '&amp;' : '?').'ltoken='.$ltoken;
+        if ($env{'form.ltoken'}) {
+            my %link_info = &Apache::lonnet::tmpget($env{'form.ltoken'});
+            &Apache::lonnet::tmpdel($env{'form.ltoken'});
+            my $token = &Apache::lonnet::tmpput(\%link_info,$desthost,'link');
+            unless (($token eq 'con_lost') || ($token eq 'refused') || ($token =~ /^error:/) ||
+                    ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+                unless (($path eq '/adm/roles') || ($path eq '/adm/login')) {
+                    $url = $protocol.'://'.$hostname.'/adm/roles';
+                }
+                $querystring .= (($querystring =~/^\?/)?'&amp;':'?') . 'ttoken='.$token;
+            }
         }
-    } elsif ($linkkey) {
-        $url .= (($url =~ /\?/) ? '&amp;' : '?').'linkkey='.&uri_escape($linkkey);        
+        $url .= $querystring;
     }
-    my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,
-                                                    {'redirect' => [0,$url],});
+    $args->{'redirect'} = [0,$url,'','',1];
+    my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,$args);
     my $end_page   = &Apache::loncommon::end_page();
     return $start_page.$end_page;
 }