As pointed out by @klap-in, an empty string may evaluate to false in
some circumstances. This is something we may not want. Using a string
like 'test' should therefore be more robust.

There are circumstances where we may want to test generated content that
uses the auth salt, for example when one tests the rendering of external
images where the url contains a token from media_get_token

Uses paragonie/random_compat instead of insecure home-brewed code.

It's NEVER fine to fall back to mt_rand() for secure random.

Fixes #1760.

The token login was introduced for the flash uploader. Since it has been
removed there is no need for this code anymore.

In an older version of PHP a file_exists() call would issue a warning
when the file did not exist. This was fixed in later PHP releases. Since
we require PHP 5.3 now, there's no need to supress any error here
anymore. This might even give a minor performance boost.

Since Chrome 37, they send differen accept encodings for POST and GET
requests which will break BrowserUID checks as reported in
cosmocode/dokuwiki-plugin-oauth/issues/3

See https://code.google.com/p/chromium/issues/detail?id=410559 for
official bug report at Google

many PHPDocs
some unused variables
some dynamically declared variables declared

When a username but no password is submitted, the login is denied right
away instead of relying on the backend to refuse the login.

This is to prevent zero byte attacks on external auth systems as
described in
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication

the triggered event did not allow event handlers to change the passed
data

Some parts of dokuwiki (e.g. recent changes, old revisions) can
requests lots of user info (to provide editor names) without
requiring any group information.

This change also implements caching of user info by authmysql &
authpgsql plugins to avoid repeated querying of the DB to retrieve
the same user information.

- moved cookiedir determination in the if-statement

allows to modify ACL results in the AFTER event or to implement a
completely different ACL mechanism in the BEFORE event.

replace boolean conditional checks on possibly uninitialized vars with \!empty/empty/isset as appropriate

Removed extraneous whitespace to eliminate errors reported by the
Squiz.WhiteSpace.SuperfluousWhitespace sniff.

Change indentation to ensure code confirms to CodeSniffer rules.

Remove whitespace from end of lines to reduce the number of CodeSniffer
violations.

- %GROUP% & %USER% can now both be used in the same rule, e.g.

%GROUP%:%USER%    2

- rules with tokens will be skipped when the user is not logged in
  previously %USER% was attempted

The current message confusingly mentions bad 'username' when username is not involved.  The
new message is the same as that introduced for an incorrect current password on the self
delete profile form (FS#2751)

Added an explanation that what we do is like normal CBC but that we
additionally encrypt the IV which is actually suggested by the NIST for
non-random (but unique) IVs. In the decryption process it's not
necessary to decrypt the IV, this should save some time.

This replaces the deprecated and broken Blowfish implementation that has
previously been used and should provide a lot more security.