diff --git a/include/dba.php b/include/dba.php
index 4e3f11f7be..fd403b5609 100644
--- a/include/dba.php
+++ b/include/dba.php
@@ -1,12 +1,15 @@
 <?php
 
-// MySQL database class
-//
-// For debugging, insert 'dbg(x);' anywhere in the program flow.
-// x = 1: display db success/failure following content
-// x = 2: display full queries following content
-// x = 3: display full queries using echo; which will mess up display
-//        really bad but will return output in stubborn cases.
+/**
+ *
+ * MySQL database class
+ *
+ * For debugging, insert 'dbg(1);' anywhere in the program flow.
+ * dbg(0); will turn it off. Logging is performed at LOGGER_DATA level.
+ * When logging, all binary info is converted to text and html entities are escaped so that 
+ * the debugging stream is safe to view within both terminals and web pages.
+ *
+ */
  
 if(! class_exists('dba')) { 
 class dba {
@@ -51,6 +54,13 @@ class dba {
 			logger('dba: ' . $str );
 		}
 		else {
+
+			/*
+			 * If dbfail.out exists, we will write any failed calls directly to it,
+			 * regardless of any logging that may or may nor be in effect.
+			 * These usually indicate SQL syntax errors that need to be resolved.
+			 */
+
 			if($result === false) {
 				logger('dba: ' . printable($sql) . ' returned false.');
 				if(file_exists('dbfail.out'))
diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php
index de3d00aea0..20fdc8f79c 100644
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@@ -7,12 +7,12 @@ require_once('include/auth.php');
 function dfrn_poll_init(&$a) {
 
 	$dfrn_id         = ((x($_GET,'dfrn_id'))         ? $_GET['dfrn_id']              : '');
-	$type            = ((x($_GET,'type'))            ? $_GET['type']                 : '');
+	$type            = ((x($_GET,'type'))            ? $_GET['type']                 : 'data');
 	$last_update     = ((x($_GET,'last_update'))     ? $_GET['last_update']          : '');
 	$destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url']      : '');
-	$sec             = ((x($_GET,'sec'))             ? intval($_GET['sec'])          : 0);
-	$dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 0);
-
+	$challenge       = ((x($_GET,'challenge'))       ? $_GET['challenge']            : '');
+	$sec             = ((x($_GET,'sec'))             ? $_GET['sec']                  : '');
+	$dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 2.0);
 
 	$direction = (-1);
 
@@ -29,7 +29,7 @@ function dfrn_poll_init(&$a) {
 		killme();
 	}
 
-	if((isset($type)) && ($type === 'profile')) {
+	if(($type === 'profile') && (! strlen($sec))) {
 
 		$sql_extra = '';
 		switch($direction) {
@@ -61,6 +61,8 @@ function dfrn_poll_init(&$a) {
 
 			$s = fetch_url($r[0]['poll'] . '?dfrn_id=' . $my_id . '&type=profile-check');
 
+			logger("dfrn_poll: old profile returns " . $s, LOGGER_DATA);
+
 			if(strlen($s)) {
 
 				$xml = simplexml_load_string($s);
@@ -85,30 +87,87 @@ function dfrn_poll_init(&$a) {
 
 	}
 
-	if((isset($type)) && ($type === 'profile-check')) {
+	if($type === 'profile-check') {
 
-		switch($direction) {
-			case 1:
-				$dfrn_id = '0:' . $dfrn_id;
-				break;
-			case 0:
-				$dfrn_id = '1:' . $dfrn_id;
-				break;
-			default:
-				break;
+		if((strlen($challenge)) && (strlen($sec))) {
+
+			q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time()));
+			$r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
+				dbesc($sec)
+			);
+			if(! count($r)) {
+				xml_status(3);
+				// NOTREACHED
+			}
+			$orig_id = $r[0]['dfrn_id'];
+			if(strpos(':',$orig_id))
+				$orig_id = substr($orig_id,2);
+
+			$c = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
+				intval($r[0]['cid'])
+			);
+			if(! count($c)) {
+				xml_status(3);
+			}
+			$contact = $c[0];
+
+			$sent_dfrn_id = hex2bin($dfrn_id);
+			$challenge    = hex2bin($challenge);
+
+			$final_dfrn_id = '';
+
+			if(($contact['duplex']) && strlen($contact['prvkey'])) {
+				openssl_private_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['prvkey']);
+				openssl_private_decrypt($challenge,$decoded_challenge,$contact['prvkey']);
+			}
+			else {
+				openssl_public_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['pubkey']);
+				openssl_public_decrypt($challenge,$decoded_challenge,$contact['pubkey']);
+			}
+
+			$final_dfrn_id = substr($final_dfrn_id, 0, strpos($final_dfrn_id, '.'));
+
+			if(strpos($final_dfrn_id,':') == 1)
+				$final_dfrn_id = substr($final_dfrn_id,2);
+
+			if($final_dfrn_id != $orig_id) {
+
+				// did not decode properly - cannot trust this site 
+				xml_status(3);
+			}
+
+			header("Content-type: text/xml");
+			echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?><dfrn_poll><status>0</status><challenge>$decoded_challenge</challenge><sec>$sec</sec></dfrn_poll>";
+			killme();
+			// NOTREACHED
 		}
-		q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time()));
-		$r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC",
-			dbesc($dfrn_id));
-		if(count($r)) {
-			xml_status(1);
+		else {
+				// old protocol
+
+			switch($direction) {
+				case 1:
+					$dfrn_id = '0:' . $dfrn_id;
+					break;
+				case 0:
+					$dfrn_id = '1:' . $dfrn_id;
+					break;
+				default:
+					break;
+			}
+
+
+			q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time()));
+			$r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC",
+				dbesc($dfrn_id));
+			if(count($r)) {
+				xml_status(1);
+				return; // NOTREACHED
+			}
+			xml_status(0);
 			return; // NOTREACHED
 		}
-		xml_status(0);
-		return; // NOTREACHED
 	}
 
-
 }
 
 
@@ -118,7 +177,7 @@ function dfrn_poll_post(&$a) {
 	$dfrn_id      = ((x($_POST,'dfrn_id'))      ? $_POST['dfrn_id']              : '');
 	$challenge    = ((x($_POST,'challenge'))    ? $_POST['challenge']            : '');
 	$url          = ((x($_POST,'url'))          ? $_POST['url']                  : '');
-	$dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 0);
+	$dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 2.0);
 
 	$direction    = (-1);
 	if(strpos($dfrn_id,':') == 1) {
@@ -213,11 +272,12 @@ function dfrn_poll_post(&$a) {
 
 function dfrn_poll_content(&$a) {
 
-	$dfrn_id      = ((x($_GET,'dfrn_id'))      ? $_GET['dfrn_id']              : '');
-	$type         = ((x($_GET,'type'))         ? $_GET['type']                 : 'data');
-	$last_update  = ((x($_GET,'last_update'))  ? $_GET['last_update']          : '');
-	$dfrn_version = ((x($_GET,'dfrn_version')) ? (float) $_GET['dfrn_version'] : 2.0);
-	$sec          = ((x($_GET,'sec'))          ? intval($_GET['sec'])          : 0);
+	$dfrn_id         = ((x($_GET,'dfrn_id'))         ? $_GET['dfrn_id']              : '');
+	$type            = ((x($_GET,'type'))            ? $_GET['type']                 : 'data');
+	$last_update     = ((x($_GET,'last_update'))     ? $_GET['last_update']          : '');
+	$destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url']      : '');
+	$sec             = ((x($_GET,'sec'))             ? $_GET['sec']                  : '');
+	$dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 2.0);
 
 	$direction = (-1);
 	if(strpos($dfrn_id,':') == 1) {
@@ -234,19 +294,23 @@ function dfrn_poll_content(&$a) {
 
 		$r = q("DELETE FROM `challenge` WHERE `expire` < " . intval(time()));
 
-		$r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
-			VALUES( '%s', '%s', '%s', '%s', '%s' ) ",
-			dbesc($hash),
-			dbesc($dfrn_id),
-			intval(time() + 60 ),
-			dbesc($type),
-			dbesc($last_update)
-		);
-
+		if($type !== 'profile') {
+			$r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
+				VALUES( '%s', '%s', '%s', '%s', '%s' ) ",
+				dbesc($hash),
+				dbesc($dfrn_id),
+				intval(time() + 60 ),
+				dbesc($type),
+				dbesc($last_update)
+			);
+		}
 		$sql_extra = '';
 		switch($direction) {
 			case (-1):
-				$sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
+				if($type === 'profile')
+					$sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id),dbesc($dfrn_id));
+				else
+					$sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
 				$my_id = $dfrn_id;
 				break;
 			case 0:
@@ -262,7 +326,12 @@ function dfrn_poll_content(&$a) {
 				break; // NOTREACHED
 		}
 
-		$r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 $sql_extra LIMIT 1");
+		$r = q("SELECT `contact`.*, `user`.`username`, `user`.`nickname` 
+			FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
+			WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 
+			AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
+			dbesc($a->argv[1])
+		);
 
 		if(count($r)) {
 
@@ -270,7 +339,6 @@ function dfrn_poll_content(&$a) {
 			$encrypted_id = '';
 			$id_str = $my_id . '.' . mt_rand(1000,9999);
 
-
 			if($r[0]['duplex'] && strlen($r[0]['pubkey'])) {
 				openssl_public_encrypt($hash,$challenge,$r[0]['pubkey']);
 				openssl_public_encrypt($id_str,$encrypted_id,$r[0]['pubkey']);
@@ -287,15 +355,61 @@ function dfrn_poll_content(&$a) {
 			$status = 1;
 		}
 
-		header("Content-type: text/xml");
-		echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n"
-			. '<dfrn_poll>' . "\r\n"
-			. "\t" . '<status>' . $status . '</status>' . "\r\n"
-			. "\t" . '<dfrn_version>' . DFRN_PROTOCOL_VERSION . '</dfrn_version>' . "\r\n"
-			. "\t" . '<dfrn_id>' . $encrypted_id . '</dfrn_id>' . "\r\n"
-			. "\t" . '<challenge>' . $challenge . '</challenge>' . "\r\n"
-			. '</dfrn_poll>' . "\r\n" ;
-		killme();
+		if(($type === 'profile') && (strlen($sec))) {
+			// URL reply
+
+			$s = fetch_url($r[0]['poll'] 
+				. '?dfrn_id=' . $encrypted_id 
+				. '&type=profile-check'
+				. '&dfrn_version=' . DFRN_PROTOCOL_VERSION
+				. '&challenge=' . $challenge
+				. '&sec=' . $sec
+			);
+
+			logger("dfrn_poll: sec profile: " . $s, LOGGER_DATA);
+
+			if(strlen($s) && strstr($s,'<?xml')) {
+
+				$xml = simplexml_load_string($s);
+
+				logger('dfrn_poll: profile: parsed xml: ' . print_r($xml,true), LOGGER_DATA);
+
+				logger('dfrn_poll: secure profile: challenge: ' . $xml->challenge . ' expecting ' . $hash);
+				logger('dfrn_poll: secure profile: sec: ' . $xml->sec . ' expecting ' . $sec);
+ 
+				
+				if(((int) $xml->status == 0) && ($xml->challenge == $hash)  && ($xml->sec == $sec)) {
+					$_SESSION['authenticated'] = 1;
+					$_SESSION['visitor_id'] = $r[0]['id'];
+					notice( $r[0]['username'] . t(' welcomes ') . $r[0]['name'] . EOL);
+					// Visitors get 1 day session.
+					$session_id = session_id();
+					$expire = time() + 86400;
+					q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s' LIMIT 1",
+						dbesc($expire),
+						dbesc($session_id)
+					); 
+				}
+				$profile = $r[0]['nickname'];
+				goaway((strlen($destination_url)) ? $destination_url : $a->get_baseurl() . '/profile/' . $profile);
+			}
+			goaway($a->get_baseurl());
+			// NOTREACHED
+
+		}
+		else {
+			// XML reply
+			header("Content-type: text/xml");
+			echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n"
+				. '<dfrn_poll>' . "\r\n"
+				. "\t" . '<status>' . $status . '</status>' . "\r\n"
+				. "\t" . '<dfrn_version>' . DFRN_PROTOCOL_VERSION . '</dfrn_version>' . "\r\n"
+				. "\t" . '<dfrn_id>' . $encrypted_id . '</dfrn_id>' . "\r\n"
+				. "\t" . '<challenge>' . $challenge . '</challenge>' . "\r\n"
+				. '</dfrn_poll>' . "\r\n" ;
+			killme();
+			// NOTREACHED
+		}
 	}
 }
 
diff --git a/mod/redir.php b/mod/redir.php
index f95c52c96e..cc58b9cd12 100644
--- a/mod/redir.php
+++ b/mod/redir.php
@@ -4,10 +4,13 @@ function redir_init(&$a) {
 
 	if((! local_user()) || (! ($a->argc == 2)) || (! intval($a->argv[1])))
 		goaway($a->get_baseurl());
+	$cid = $a->argv[1];
+
 	$r = q("SELECT `network`, `issued-id`, `dfrn-id`, `duplex`, `poll` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
-		intval($a->argv[1]),
+		intval($cid),
 		intval(local_user())
 	);
+
 	if((! count($r)) || ($r[0]['network'] !== 'dfrn'))
 		goaway($a->get_baseurl());
 
@@ -21,12 +24,20 @@ function redir_init(&$a) {
 		$orig_id = $r[0]['dfrn-id'];
 		$dfrn_id = '0:' . $orig_id;
 	}
-	q("INSERT INTO `profile_check` ( `uid`, `dfrn_id`, `expire`)
-		VALUES( %d, '%s', %d )",
-		intval($_SESSION['uid']),
+
+	$sec = random_string();
+
+	q("INSERT INTO `profile_check` ( `uid`, `cid`, `dfrn_id`, `sec`, `expire`)
+		VALUES( %d, %s, '%s', '%s', %d )",
+		intval(local_user()),
+		intval($cid),
 		dbesc($dfrn_id),
-		intval(time() + 45));
+		dbesc($sec),
+		intval(time() + 45)
+	);
+
 	goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id 
-		. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=1');
+//		. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile');
+		. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=' . $sec);
 	
 }