Fix: ouverture d'une session temporaire de securite pour stocker une de cryptage al�atoire pour

encryption du cookie

htdocs/conf/conf.php.example

@@ -1,189 +1,179 @@
-<?php
-#
-# Dolibarr example for conf.php file
-#
-# Do not edit this file without changing its name.
-# This file is used by Dolibarr setup process to create true Dolibarr
-# config file called "conf.php".
-#
-# $Id$
-
-
-# dolibarr_main_url_root
-# This parameter defines the root URL of your Dolibarr index.php page.
-# It must link to the directory htdocs.
-# Examples:
-# $dolibarr_main_url_root="http://localhost";
-# $dolibarr_main_url_root="http://mydolibarrvirtualhost";
-# $dolibarr_main_url_root="http://myserver/dolibarr/htdocs";
-#
-$dolibarr_main_url_root="";
-
-
-# dolibarr_main_document_root
-# This parameter contains absolute file system directory of Dolibarr
-# htdocs directory
-# Examples:
-# $dolibarr_main_document_root="/var/www/dolibarr/htdocs";
-# $dolibarr_main_document_root="C:/My web sites/dolibarr/htdocs";
-#
-$dolibarr_main_document_root="";
-
-
-# dolibarr_main_data_root
-# This parameter contains absolute file system directory of Dolibarr
-# directory used to store uploaded and generated physical files.
-# Examples:
-# $dolibarr_main_document_root="/var/www/dolibarr/documents";
-# $dolibarr_main_document_root="E:/My web sites/dolibarr/documents";
-#
-$dolibarr_main_data_root="";
-
-
-# dolibarr_main_db_host
-# This parameter contains host name or ip address of Dolibarr database
-# server.
-# Examples:
-# $dolibarr_main_db_host="localhost";
-# $dolibarr_main_db_host="127.0.0.1";
-# $dolibarr_main_db_host="192.168.0.10";
-# $dolibarr_main_db_host="mysql.myserver.com";
-#
-$dolibarr_main_db_host="";
-
-
-# dolibarr_main_db_port
-# This parameter contains the port of the Dolibarr database.
-# Default value: none
-# Examples:
-# $dolibarr_main_db_host="3306;
-#
-$dolibarr_main_db_port="";
-
-
-# dolibarr_main_db_name
-# This parameter contains name of Dolibarr database.
-# Examples:
-# $dolibarr_main_db_name="dolibarr";
-# $dolibarr_main_db_name="mydatabase";
-#
-$dolibarr_main_db_name="";
-
-
-# dolibarr_main_db_user
-# This parameter contains user name used to read and write into
-# Dolibarr database.
-# Examples:
-# $dolibarr_main_db_user="admin";
-# $dolibarr_main_db_user="dolibarruser";
-#
-$dolibarr_main_db_user="";
-
-
-# dolibarr_main_db_pass
-# This parameter contains password used to read and write into
-# Dolibarr database.
-# Examples:
-# $dolibarr_main_db_pass="myadminpass";
-# $dolibarr_main_db_pass="myuserpassword";
-#
-$dolibarr_main_db_pass="";
-
-
-# dolibarr_main_db_type
-# This parameter contains the name of the driver used to access your
-# Dolibarr database.
-# Default value: none
-# Possible values: mysql, mysqli, pgsql
-# Examples:
-# $dolibarr_main_db_type="mysql;
-# $dolibarr_main_db_type="mysqli";
-# $dolibarr_main_db_type="pgsql";
-#
-$dolibarr_main_db_type="";
-
-
-# dolibarr_main_db_character_set
-# Database character set used to store data (forced during database creation).
-# Default value: depends on database driver
-# Examples:
-# dolibarr_main_db_character_set="latin1";
-#
-$dolibarr_main_db_character_set="latin1";
-
-
-# dolibarr_main_db_collation
-# Database character set used to sort data (forced during database creation).
-# Default value: depends on database driver
-# Examples:
-# dolibarr_main_db_collation="latin1_swedish_ci";
-#
-$dolibarr_main_db_collation="latin1_swedish_ci";
-
-
-# dolibarr_main_authentication
-# This parameter contains the way authentication is done.
-# If value "ldap" is used, you must also set parameters dolibarr_main_auth_ldap_*
-# Default value: dolibarr
-# Possible values: Any values found in files in htdocs/includes/login directory after
-# the "function_" string and before the ".php" string.
-# Examples:
-# $dolibarr_main_authentication="http";
-# $dolibarr_main_authentication="dolibarr";
-# $dolibarr_main_authentication="ldap";
-#
-$dolibarr_main_authentication="dolibarr";
-
-
-# dolibarr_main_force_https
-# This parameter allows to force the HTTPS mode.
-# Warning: If you enable this parameter, your dolibarr_main_url_root parameter
-# must contains an URL with https and web server must be configured to respond
-# to such an URL.
-# Default value: 0
-# Possible values: 0 or 1
-# Examples:
-# $dolibarr_main_force_https=0;
-#
-$dolibarr_main_force_https="0";
-
-
-# dolibarr_main_cookie_cryptkey
-# This parameter contains the key for crypted cookies.
-# Warning: This parameter must be configured with multicompany module
-# Default value: 123
-# Possible values: must be a integer
-# Examples:
-# $dolibarr_main_cookie_cryptkey="6589148567895233654";
-#
-# $dolibarr_main_cookie_cryptkey="123456789";
-
-# Parameters used to setup LDAP authentication.
-# Uncomment them if dolibarr_main_authentication = "ldap"
-#
-# $dolibarr_main_auth_ldap_host="127.0.0.1";
-# $dolibarr_main_auth_ldap_port="389";
-# $dolibarr_main_auth_ldap_version="3";
-# $dolibarr_main_auth_ldap_servertype="openldap";					# openldap, activedirectory or egroupware
-#
-# Following parameters should not be used in LDAP connection (deprecated ?):
-# $dolibarr_main_auth_ldap_login_attribute="loginfield";	# uid or samaccountname for active directory
-# $dolibarr_main_auth_ldap_dn="";							# Ex: ou=users,dc=my-domain,dc=com
-# $dolibarr_main_auth_ldap_admin_login="";					# Required only if anonymous bind disabled
-# $dolibarr_main_auth_ldap_admin_pass="";					# Required only if anonymous bind disabled
-#
-# $dolibarr_main_auth_ldap_debug="false";
-
-
-# Parameters not used yet
-# dolibarr_smarty_libs_dir,dolibarr_smarty_compile,dolibarr_smarty_cache
-# Examples:
-# $dolibarr_smarty_libs_dir="/var/www/dolibarr/external-libs/smarty/libs/";
-# $dolibarr_smarty_compile="/var/www/dolibarr/documents/temp/smarty_templates";
-# $dolibarr_smarty_cache="/var/www/dolibarr/documents/temp/smarty_cache";
-#
-$dolibarr_smarty_libs_dir="";
-$dolibarr_smarty_compile="";
-$dolibarr_smarty_cache="";
-
-?>
+<?php
+#
+# Dolibarr example for conf.php file
+#
+# Do not edit this file without changing its name.
+# This file is used by Dolibarr setup process to create true Dolibarr
+# config file called "conf.php".
+#
+# $Id$
+
+
+# dolibarr_main_url_root
+# This parameter defines the root URL of your Dolibarr index.php page.
+# It must link to the directory htdocs.
+# Examples:
+# $dolibarr_main_url_root="http://localhost";
+# $dolibarr_main_url_root="http://mydolibarrvirtualhost";
+# $dolibarr_main_url_root="http://myserver/dolibarr/htdocs";
+#
+$dolibarr_main_url_root="";
+
+
+# dolibarr_main_document_root
+# This parameter contains absolute file system directory of Dolibarr
+# htdocs directory
+# Examples:
+# $dolibarr_main_document_root="/var/www/dolibarr/htdocs";
+# $dolibarr_main_document_root="C:/My web sites/dolibarr/htdocs";
+#
+$dolibarr_main_document_root="";
+
+
+# dolibarr_main_data_root
+# This parameter contains absolute file system directory of Dolibarr
+# directory used to store uploaded and generated physical files.
+# Examples:
+# $dolibarr_main_document_root="/var/www/dolibarr/documents";
+# $dolibarr_main_document_root="E:/My web sites/dolibarr/documents";
+#
+$dolibarr_main_data_root="";
+
+
+# dolibarr_main_db_host
+# This parameter contains host name or ip address of Dolibarr database
+# server.
+# Examples:
+# $dolibarr_main_db_host="localhost";
+# $dolibarr_main_db_host="127.0.0.1";
+# $dolibarr_main_db_host="192.168.0.10";
+# $dolibarr_main_db_host="mysql.myserver.com";
+#
+$dolibarr_main_db_host="";
+
+
+# dolibarr_main_db_port
+# This parameter contains the port of the Dolibarr database.
+# Default value: none
+# Examples:
+# $dolibarr_main_db_host="3306;
+#
+$dolibarr_main_db_port="";
+
+
+# dolibarr_main_db_name
+# This parameter contains name of Dolibarr database.
+# Examples:
+# $dolibarr_main_db_name="dolibarr";
+# $dolibarr_main_db_name="mydatabase";
+#
+$dolibarr_main_db_name="";
+
+
+# dolibarr_main_db_user
+# This parameter contains user name used to read and write into
+# Dolibarr database.
+# Examples:
+# $dolibarr_main_db_user="admin";
+# $dolibarr_main_db_user="dolibarruser";
+#
+$dolibarr_main_db_user="";
+
+
+# dolibarr_main_db_pass
+# This parameter contains password used to read and write into
+# Dolibarr database.
+# Examples:
+# $dolibarr_main_db_pass="myadminpass";
+# $dolibarr_main_db_pass="myuserpassword";
+#
+$dolibarr_main_db_pass="";
+
+
+# dolibarr_main_db_type
+# This parameter contains the name of the driver used to access your
+# Dolibarr database.
+# Default value: none
+# Possible values: mysql, mysqli, pgsql
+# Examples:
+# $dolibarr_main_db_type="mysql;
+# $dolibarr_main_db_type="mysqli";
+# $dolibarr_main_db_type="pgsql";
+#
+$dolibarr_main_db_type="";
+
+
+# dolibarr_main_db_character_set
+# Database character set used to store data (forced during database creation).
+# Default value: depends on database driver
+# Examples:
+# dolibarr_main_db_character_set="latin1";
+#
+$dolibarr_main_db_character_set="latin1";
+
+
+# dolibarr_main_db_collation
+# Database character set used to sort data (forced during database creation).
+# Default value: depends on database driver
+# Examples:
+# dolibarr_main_db_collation="latin1_swedish_ci";
+#
+$dolibarr_main_db_collation="latin1_swedish_ci";
+
+
+# dolibarr_main_authentication
+# This parameter contains the way authentication is done.
+# If value "ldap" is used, you must also set parameters dolibarr_main_auth_ldap_*
+# Default value: dolibarr
+# Possible values: Any values found in files in htdocs/includes/login directory after
+# the "function_" string and before the ".php" string.
+# Examples:
+# $dolibarr_main_authentication="http";
+# $dolibarr_main_authentication="dolibarr";
+# $dolibarr_main_authentication="ldap";
+#
+$dolibarr_main_authentication="dolibarr";
+
+
+# dolibarr_main_force_https
+# This parameter allows to force the HTTPS mode.
+# Warning: If you enable this parameter, your dolibarr_main_url_root parameter
+# must contains an URL with https and web server must be configured to respond
+# to such an URL.
+# Default value: 0
+# Possible values: 0 or 1
+# Examples:
+# $dolibarr_main_force_https=0;
+#
+$dolibarr_main_force_https="0";
+
+
+# Parameters used to setup LDAP authentication.
+# Uncomment them if dolibarr_main_authentication = "ldap"
+#
+# $dolibarr_main_auth_ldap_host="127.0.0.1";
+# $dolibarr_main_auth_ldap_port="389";
+# $dolibarr_main_auth_ldap_version="3";
+# $dolibarr_main_auth_ldap_servertype="openldap";					# openldap, activedirectory or egroupware
+#
+# Following parameters should not be used in LDAP connection (deprecated ?):
+# $dolibarr_main_auth_ldap_login_attribute="loginfield";	# uid or samaccountname for active directory
+# $dolibarr_main_auth_ldap_dn="";							# Ex: ou=users,dc=my-domain,dc=com
+# $dolibarr_main_auth_ldap_admin_login="";					# Required only if anonymous bind disabled
+# $dolibarr_main_auth_ldap_admin_pass="";					# Required only if anonymous bind disabled
+#
+# $dolibarr_main_auth_ldap_debug="false";
+
+
+# Parameters not used yet
+# dolibarr_smarty_libs_dir,dolibarr_smarty_compile,dolibarr_smarty_cache
+# Examples:
+# $dolibarr_smarty_libs_dir="/var/www/dolibarr/external-libs/smarty/libs/";
+# $dolibarr_smarty_compile="/var/www/dolibarr/documents/temp/smarty_templates";
+# $dolibarr_smarty_cache="/var/www/dolibarr/documents/temp/smarty_cache";
+#
+$dolibarr_smarty_libs_dir="";
+$dolibarr_smarty_compile="";
+$dolibarr_smarty_cache="";
+
+?>

htdocs/main.inc.php

@@ -117,10 +117,19 @@ if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERV
 // This is to make Dolibarr working with Plesk
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 
+// Security session
+$sessionname="DOLSESSID_SECURITY";
+session_name($sessionname);
+session_start();
+if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand();
+
 // Set and init common variables
 // This include will set: $conf, $langs and $mysoc objects
 require_once("master.inc.php");
 
+//Fermeture de la session de sécurite, ses donnees sont sauvegardees
+session_write_close();
+
 // Check if HTTPS
 if ($conf->file->main_force_https)
 {
@@ -449,11 +458,9 @@ if (! isset($_SESSION["dol_login"]))
 
 		if (!isset($HTTP_COOKIE_VARS[$entityCookieName]))
 		{
-			// Todo: utiliser $user->datelastlogin pour un cryptage aléatoire
-			$entityCookie = new DolCookie($conf->file->main_cookie_cryptkey);
+			// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage
+			$entityCookie = new DolCookie($_SESSION['cryptkey']);
 			$entityCookie->_setCookie($entityCookieName, $entity);
-
-			//setcookie($entityCookieName, $entity, 0, "/", "", 0);
 		}
 	}
 

htdocs/master.inc.php

@@ -136,9 +136,6 @@ $conf->file->main_force_https = empty($dolibarr_main_force_https)?'':$dolibarr_m
 // Define charset for HTML Output (can set hidden value force_charset in conf.php file)
 if (empty($force_charset_do_notuse)) $force_charset_do_notuse='UTF-8';
 $conf->file->character_set_client=strtoupper($force_charset_do_notuse);
-// Define the encrypt key for cookie
-//if (empty($dolibarr_main_cookie_cryptkey)) $dolibarr_main_cookie_cryptkey='123';
-//$conf->file->main_cookie_cryptkey=$dolibarr_main_cookie_cryptkey;
 
 // Define array of document root directories
 $conf->file->dol_document_root=array(DOL_DOCUMENT_ROOT);
@@ -216,7 +213,6 @@ if (! defined('NOREQUIREDB'))
 	}
 	else if (isset($_COOKIE[$entityCookieName]))					// Inside a browser navigation
 	{
-		// TODO See to remove this later as it is a security hole
 		include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php");
 
 		// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage

htdocs/user/logout.php

@@ -51,6 +51,12 @@ session_name($sessionname);
 session_destroy();
 dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name);
 
+// Destroy security session
+$sessionname="DOLSESSID_SECURITY";
+session_name($sessionname);
+session_destroy();
+dol_syslog("End security session in DOLSESSID_".$dolibarr_main_db_name);
+
 // Init session
 $sessionname="DOLSESSID_".$dolibarr_main_db_name;
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);