Index: openacs-4/packages/acs-kernel/acs-kernel.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-kernel/acs-kernel.info,v
diff -u -r1.150.2.15 -r1.150.2.16
--- openacs-4/packages/acs-kernel/acs-kernel.info	19 Jun 2019 17:44:17 -0000	1.150.2.15
+++ openacs-4/packages/acs-kernel/acs-kernel.info	20 Jun 2019 12:44:23 -0000	1.150.2.16
@@ -52,7 +52,7 @@
             <parameter scope="instance" datatype="string"  min_n_values="1"  max_n_values="1"  name="IndexRedirectUrl"  description="If non-blank, serve the given template rather than the default index template.  Example: /dotlrn/index"/>
             <parameter scope="instance" datatype="string"  min_n_values="1"  max_n_values="1"  name="InfoFilePermissionsMode"  default="0775" description="The default UNIX permissions to assign to the .info file when it is created." section_name="apm"/>
             <parameter scope="instance" datatype="string"  min_n_values="1"  max_n_values="1"  name="LogDebugP"  default="0" description="log request-processor debug messages to the error log? very verbose." section_name="request-processor"/>
-            <parameter scope="instance" datatype="number"  min_n_values="1"  max_n_values="1"  name="LoginPageExpirationTime"  default="600" description="The expiration time in seconds for the login page. This is needed to protect against browser cached passwords." section_name="security"/>
+            <parameter scope="instance" datatype="number"  min_n_values="1"  max_n_values="1"  name="LoginPageExpirationTime"  default="0" description="The expiration time in seconds for the login page. This is needed to protect against browser cached passwords - is not needed anymore for are recent browsers." section_name="security"/>
             <parameter scope="instance" datatype="number"  min_n_values="1"  max_n_values="1"  name="LoginTimeout"  default="28800" description="The maximum number of seconds to let users stay logged in without requiring them to refresh their password. 0 for infinite. Change requires a server restart to take effect." section_name="security"/>
             <parameter scope="instance" datatype="number"  min_n_values="1"  max_n_values="1"  name="MaxSize"  default="200000" description="The size of the util_memoize cache(bytes)" section_name="caching"/>
             <parameter scope="instance" datatype="number"  min_n_values="1"  max_n_values="1"  name="MaxUrlLength"  default="2000" description="The maximum length of a URL. Often attacks are trie with long URLs, therefore catching this early improves security. For typical OpenACS installations, a URL length of 500 is more than enough." section_name="security"/>
Index: openacs-4/packages/acs-subsite/lib/login.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/lib/login.tcl,v
diff -u -r1.41.2.5 -r1.41.2.6
--- openacs-4/packages/acs-subsite/lib/login.tcl	10 Apr 2019 21:38:04 -0000	1.41.2.5
+++ openacs-4/packages/acs-subsite/lib/login.tcl	20 Jun 2019 12:44:23 -0000	1.41.2.6
@@ -107,7 +107,7 @@
         {hash:text(hidden)}
     } -validate {
         { token_id {$token_id < 2**31} "invalid token id"}
-    }
+    } -csrf_protection_p true
 
 set username_widget text
 if { [parameter::get -parameter UsePasswordWidgetForUsername -package_id $::acs::kernel_id] } {
@@ -195,23 +195,33 @@
     set expiration_time [parameter::get \
                              -parameter LoginPageExpirationTime \
                              -package_id $::acs::kernel_id \
-                             -default 600]
-    if { $expiration_time < 30 } {
-        #
-        # Sanity check: If expiration_time is less than 30 seconds,
-        # it's practically impossible to login and you will have
-        # completely hosed login on your entire site
-        #
-        ns_log warning "login: fix invalid setting of kernel parameter LoginPageExpirationTime \
-            (value $expiration_time); must be at least 30 (secs)"
-        set expiration_time 30
-    }
+                             -default 0] ;# was 600
+    #
+    # Just check the expiration time, when the configured value is >
+    # 0.  The old trick with the expiration time of the login page is
+    # not an issue of modern browsers, since the login page takes
+    # already care of avoiding caching.
+    #
+    if { $expiration_time > 0 } {
+        if { $expiration_time < 30 } {
+            #
+            # Sanity check: If expiration_time is less than 30 seconds,
+            # it's practically impossible to login and you will have
+            # completely hosed login on your entire site
+            #
+            ns_log warning "login: fix invalid setting of kernel parameter LoginPageExpirationTime \
+                (value $expiration_time); must be at least 30 (secs)"
+            set expiration_time 30
+        }
 
-    if { $hash ne $computed_hash
-         || $time < [ns_time] - $expiration_time
-     } {
-        ad_returnredirect -message [_ acs-subsite.Login_has_expired] -- [export_vars -base [ad_conn url] { return_url }]
-        ad_script_abort
+        if { $hash ne $computed_hash
+             || $time < [ns_time] - $expiration_time
+         } {
+            ad_returnredirect \
+                -message [_ acs-subsite.Login_has_expired] -- \
+                [export_vars -base [ad_conn url] { return_url }]
+            ad_script_abort
+        }
     }
 
     if { ![info exists persistent_p] || $persistent_p eq "" } {
@@ -232,7 +242,8 @@
                              -username [string trim $username] \
                              -password $password \
                              -host_node_id $host_node_id \
-                             -persistent=[expr {$allow_persistent_login_p && [template::util::is_true $persistent_p]}]]
+                             -persistent=[expr {$allow_persistent_login_p
+                                                && [template::util::is_true $persistent_p]}]]
 
     # Handle authentication problems
     switch -- $auth_info(auth_status) {
Index: openacs-4/packages/acs-subsite/www/register/index.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/register/index.tcl,v
diff -u -r1.15 -r1.15.2.1
--- openacs-4/packages/acs-subsite/www/register/index.tcl	7 Aug 2017 23:47:59 -0000	1.15
+++ openacs-4/packages/acs-subsite/www/register/index.tcl	20 Jun 2019 12:44:23 -0000	1.15.2.1
@@ -15,6 +15,17 @@
     }
 }
 
+#
+# Avoid page caching, across all browsers, no matter how the other
+# site wide caching parameters are set. For discussion and deatils,
+# see:
+#
+# https://stackoverflow.com/questions/49547/how-to-control-web-page-caching-across-all-browsers
+#
+template::head::add_meta -http_equiv Cache-Control -content "no-cache, no-store, must-revalidate" ;# HTTP/1.1
+template::head::add_meta -http_equiv Pragma -content "no-cache" ;# HTTP/1.0
+template::head::add_meta -http_equiv Expires -content "0" ;# Proxies
+
 set subsite_id [ad_conn subsite_id]
 set login_template [parameter::get -parameter "LoginTemplate" -package_id $subsite_id]