From 149e232bd34955479b91d639bf640d040b64b06a Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Fri, 8 May 2009 19:46:07 +0000
Subject: [PATCH] Add: /core/cookie.class.php for create and encrypt/decrypt
 cookie value with personnal key  configured in conf.php with
 $dolibarr_main_cookie_cryptkey

---
 htdocs/conf/conf.php.example |  10 +++
 htdocs/core/cookie.class.php | 116 +++++++++++++++++++++++++++++++++++
 htdocs/main.inc.php          |   2 +-
 htdocs/master.inc.php        |   6 +-
 4 files changed, 132 insertions(+), 2 deletions(-)
 create mode 100644 htdocs/core/cookie.class.php

diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example
index 7f04be837b9..184b266446f 100644
--- a/htdocs/conf/conf.php.example
+++ b/htdocs/conf/conf.php.example
@@ -148,6 +148,16 @@ $dolibarr_main_authentication="dolibarr";
 $dolibarr_main_force_https="0";
 
 
+# dolibarr_main_cookie_cryptkey
+# This parameter contains the key for crypted cookies.
+# Warning: This parameter must be configured with multicompany module
+# Default value: 123
+# Possible values: must be a integer
+# Examples:
+# $dolibarr_main_cookie_cryptkey="6589148567895233654";
+#
+# $dolibarr_main_cookie_cryptkey="123456789";
+
 # Parameters used to setup LDAP authentication.
 # Uncomment them if dolibarr_main_authentication = "ldap"
 #
diff --git a/htdocs/core/cookie.class.php b/htdocs/core/cookie.class.php
new file mode 100644
index 00000000000..8fd5dd23841
--- /dev/null
+++ b/htdocs/core/cookie.class.php
@@ -0,0 +1,116 @@
+<?php
+/* Copyright (C) 2009  Regis Houssin  <regis@dolibarr.fr>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+/**
+ \file       htdocs/core/cookie.class.php
+ \ingroup    core
+ \version	$Id$
+ \brief      File of class to manage cookies
+ */
+
+
+  class DolCookie
+  {
+  	var $myKey; 
+    var $myCookie; 
+    var $myValue; 
+    var $myExpire;
+    var $myPath;
+    var $myDomain;
+    var	$mySsecure;
+    var $cookiearray;
+    var $cookie;
+
+    /**
+	   *      \brief      Constructor
+	   *      \param      key      Personnal key
+	   */
+    function DolCookie($key = 123)
+    {
+    	$this->myKey = $key;
+      $this->cookiearray = array();
+      $this->cookie = "";
+      $this->myCookie = "";
+      $this->myValue = "";
+    }
+  
+    
+    /**
+	   *      \brief      Encrypt en create the cookie
+	   */
+    function cryptCookie()
+    {
+    	$valuecrypt = base64_encode($this->myValue);
+      for ($f=0 ; $f<=strlen($valuecrypt)-1; $f++)
+      {
+      	$this->cookie .= intval(ord($valuecrypt[$f]))*$this->myKey."|";    
+      }
+      
+      setcookie($this->myCookie, $this->cookie, $this->myExpire, $this->myPath, $this->myDomain, $this->mySecure);
+    }
+
+    /**
+	   *      \brief      Decrypt the cookie
+	   */
+    function decryptCookie()
+    {
+    	$this->cookiearray = explode("|",$_COOKIE[$this->myCookie]);
+    	$this->myValue = "" ; 
+    	for ($f=0 ; $f<=count($this->cookiearray)-2; $f++)
+    	{
+    		$this->myValue .= strval(chr($this->cookiearray[$f]/$this->myKey));
+    	}
+    	
+      return(base64_decode($this->myValue)) ;
+    }
+
+    /**
+	   *      \brief  Set and create the cookie
+	   *      \param  cookie  Cookie name
+	   *      \param  value   Cookie value
+	   */
+    function _setCookie($cookie, $value, $expire=0, $path="/", $domain="", $secure=0)
+    {
+    	$this->myCookie = $cookie;
+    	$this->myValue = $value;
+    	$this->myExpire = $expire;
+    	$this->myPath = $path;
+    	$this->myDomain = $domain;
+    	$this->mySsecure = $secure;
+    	
+    	$this->cryptCookie();
+    }
+    
+    /**
+	   *      \brief   Get the cookie
+	   *      \param   cookie         Cookie name
+	   *      \param   value          Cookie value
+	   *      \return  decryptValue   Decrypted value
+	   */
+    function _getCookie($cookie)
+    {
+    	$this->myCookie = $cookie;
+    	
+    	$decryptValue = $this->decryptCookie();
+    	
+    	return $decryptValue;
+    }
+
+  }
+  
+?>
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 3657a9854ac..0c319865258 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -446,7 +446,7 @@ if (! isset($_SESSION["dol_login"]))
 		if (!isset($HTTP_COOKIE_VARS[$entityCookieName]))
 		{
 			$entityCookie = new DolCookie($dolibarr_main_cookie_cryptkey);
-			$entityCookie->_setCookie($entityCookieName, $_POST["entity"]);
+			$entityCookie->_setCookie($entityCookieName, $entity);
 			
 			//setcookie($entityCookieName, $entity, 0, "/", "", 0);
 		}
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 7696e84ae06..eef41bf11b3 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -214,7 +214,11 @@ if (! defined('NOREQUIREDB'))
 	else if (isset($_COOKIE[$entityCookieName]))					// Inside a browser navigation
 	{
 		// TODO See to remove this later as it is a security hole
-		$conf->entity = $_COOKIE[$entityCookieName];
+		include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php");
+		$entityCookie = new DolCookie($dolibarr_main_cookie_cryptkey);
+		$conf->entity = $entityCookie->_getCookie($entityCookieName);
+			
+		//$conf->entity = $_COOKIE[$entityCookieName];
 	}
 	elseif (session_id() && isset($_SESSION["dol_entity"]))			// Inside an opened session
 	{