Add: entity cookie just used for the login page

htdocs/core/cookie.class.php

@@ -40,7 +40,7 @@
 	   *      \brief      Constructor
 	   *      \param      key      Personnal key
 	   */
-    function DolCookie($key = 123)
+    function DolCookie($key = '')
     {
     	$this->myKey = $key;
       $this->cookiearray = array();
@@ -55,10 +55,17 @@
 	   */
     function cryptCookie()
     {
-    	$valuecrypt = base64_encode($this->myValue);
-      for ($f=0 ; $f<=strlen($valuecrypt)-1; $f++)
+    	if (!empty($this->myKey))
+    	{
+    		$valuecrypt = base64_encode($this->myValue);
+    		for ($f=0 ; $f<=strlen($valuecrypt)-1; $f++)
+    		{
+    			$this->cookie .= intval(ord($valuecrypt[$f]))*$this->myKey."|";
+    		}
+      }
+      else
       {
-      	$this->cookie .= intval(ord($valuecrypt[$f]))*$this->myKey."|";    
+      	$this->cookie = $this->myValue;
       }
       
       setcookie($this->myCookie, $this->cookie, $this->myExpire, $this->myPath, $this->myDomain, $this->mySecure);
@@ -69,14 +76,21 @@
 	   */
     function decryptCookie()
     {
-    	$this->cookiearray = explode("|",$_COOKIE[$this->myCookie]);
-    	$this->myValue = "" ; 
-    	for ($f=0 ; $f<=count($this->cookiearray)-2; $f++)
+    	if (!empty($this->myKey))
     	{
-    		$this->myValue .= strval(chr($this->cookiearray[$f]/$this->myKey));
+    		$this->cookiearray = explode("|",$_COOKIE[$this->myCookie]);
+    		$this->myValue = "" ;
+    		for ($f=0 ; $f<=count($this->cookiearray)-2; $f++)
+    		{
+    			$this->myValue .= strval(chr($this->cookiearray[$f]/$this->myKey));
+    		}
+    		
+    		return(base64_decode($this->myValue)) ;
+    	}
+    	else
+    	{
+    		return($_COOKIE[$this->myCookie]);
     	}
-    	
-      return(base64_decode($this->myValue)) ;
     }
 
     /**
@@ -93,6 +107,8 @@
     	$this->myDomain = $domain;
     	$this->mySsecure = $secure;
     	
+    	//print 'key='.$this->myKey.' name='.$this->myCookie.' value='.$this->myValue.' expire='.$this->myExpire;
+    	
     	$this->cryptCookie();
     }
     

htdocs/lib/security.lib.php

@@ -168,13 +168,28 @@ function dol_loginfunction($langs,$conf,$mysoc)
 	if (! empty($conf->global->MAIN_MODULE_MULTICOMPANY))
 	{
 		$html = new Form($db);
+		$lastentity = '';
+		
+		if (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE))
+		{
+			$entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+			if (isset($_COOKIE[$entityCookieName]))
+			{
+				include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php");
+				
+				$cryptkey = (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE_CRYPTKEY) ? $conf->global->MAIN_MULTICOMPANY_COOKIE_CRYPTKEY : '' );
+				
+				$entityCookie = new DolCookie($cryptkey);
+				$lastentity = $entityCookie->_getCookie($entityCookieName);
+			}
+		}
 
 		//TODO: creer class
 		$entity = array('1'=>'company1','2'=>'company2');
 
 		print '<tr><td align="left" valign="top" nowrap="nowrap"> &nbsp; <b>'.$langs->trans("Entity").'</b> &nbsp; </td>';
 		print '<td valign="top" nowrap="nowrap">';
-		print $html->selectarray('entity',$entity,'',0,0,0,1,'tabindex="3"');
+		print $html->selectarray('entity',$entity,$lastentity,0,0,0,1,'tabindex="3"');
 		print '</td></tr>';
 	}
 

htdocs/main.inc.php

@@ -126,9 +126,6 @@ if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessio
 session_name($sessionname);
 session_start();
 
-// Security. TODO Check if this is usefull.
-//if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand();
-
 // Set and init common variables
 // This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects
 require_once("master.inc.php");
@@ -184,6 +181,7 @@ if (isset($_POST['token']) && isset($_SESSION['token_level_1']) && isset($_SESSI
 	if (($_POST['token'] != $_SESSION['token_level_1']) && ($_POST['token'] != $_SESSION['token_level_2']))
 	{
 		dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".$_POST['action'].", _POST['token']=".$_POST['token'].", _SESSION['token_level_1']=".$_SESSION['token_level_1'].", _SESSION['token_level_2']=".$_SESSION['token_level_2']);
+		print 'Unset POST by CSRF protection in main.inc.php.';
 		unset($_POST);
 	}
 }
@@ -442,27 +440,21 @@ if (! isset($_SESSION["dol_login"]))
 		$db->commit();
 	}
 
-	// Create entity cookie
-	// TODO Replace cookie usage to store entity in session to make code so much simpler with no
-	// need to crypt, no need to use token, etc...
-	// No data specific to session must be stored in cookies as this is the goal of session
-	// object and not cookie. Saving entity in session should  save a large amount of useless code,
-	// make code cleaner and solve pb of forged cookie.
-/*	if ($conf->multicompany->enabled && isset($_POST["entity"]))
+	// Create entity cookie, just used for login page
+	if (!empty($conf->global->MAIN_MODULE_MULTICOMPANY) && !empty($conf->global->MAIN_MULTICOMPANY_COOKIE) && isset($_POST["entity"]))
 	{
-		include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php");
+		include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php");
 
 		$entity = $_POST["entity"];
-		$entityCookieName = "DOLENTITYID_dolibarr";
-
-		if (!isset($_COOKIE[$entityCookieName]))
-		{
-			// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage
-			$entityCookie = new DolCookie($_SESSION['cryptkey']);
-			$entityCookie->_setCookie($entityCookieName, $entity);
-		}
+		$entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+		// TTL : sera defini dans la page de config multicompany
+		$ttl = (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE_TTL) ? $conf->global->MAIN_MULTICOMPANY_COOKIE_TTL : time()+60*60*8 );
+		// Cryptkey : sera cree aleatoirement dans la page de config multicompany
+		$cryptkey = (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE_CRYPTKEY) ? $conf->global->MAIN_MULTICOMPANY_COOKIE_CRYPTKEY : '' );
+			
+		$entityCookie = new DolCookie($cryptkey);
+		$entityCookie->_setCookie($entityCookieName, $entity);
 	}
-*/
 
 	// Module webcalendar
 	if (! empty($conf->webcal->enabled) && $user->webcal_login != "")

htdocs/master.inc.php

@@ -213,28 +213,9 @@ if (! defined('NOREQUIREDB'))
 	{
 		$conf->entity = $_ENV["dol_entity"];
 	}
-	else															// Entity from login page
+	elseif (isset($_POST["loginfunction"]) && isset($_POST["entity"]))	// Just after a login page
 	{
-		if (isset($_POST["loginfunction"]) && isset($_POST["entity"]))	// Just after a login page
-		{
-			$conf->entity = $_POST["entity"];
-		}
-		else
-		{
-			// TODO MULTICOMP This can be removed now.
-			// Cookie usage replaced with session to save a lot of code and avoid cookie forging.
-			/*
-			$entityCookieName="DOLENTITYID_dolibarr";
-			if (isset($_COOKIE[$entityCookieName]))					// Should not be used anymore
-			{
-				include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php");
-
-				// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage
-				$entityCookie = new DolCookie($_SESSION['cryptkey']);
-				$conf->entity = $entityCookie->_getCookie($entityCookieName);
-			}
-			*/
-		}
+		$conf->entity = $_POST["entity"];
 	}
 	$conf->setValues($db);
 }

htdocs/user/logout.php

@@ -55,14 +55,6 @@ session_name($sessionname);
 session_destroy();
 dol_syslog("End of session ".$sessionname);
 
-// Destroy entity cookie
-// TODO MULTICOMP Must fix this. Use session instead of cookie.
-if ($conf->multicompany->enabled)
-{
-	$entityCookieName = "DOLENTITYID_dolibarr";
-	setcookie($entityCookieName, '', 1, "/");
-}
-
 // Define url to go
 $url=DOL_URL_ROOT."/index.php";		// By default go to login page
 if ($urlfrom)