diff --git a/htdocs/core/cookie.class.php b/htdocs/core/cookie.class.php index 8fd5dd23841..846d8bf3576 100644 --- a/htdocs/core/cookie.class.php +++ b/htdocs/core/cookie.class.php @@ -40,7 +40,7 @@ * \brief Constructor * \param key Personnal key */ - function DolCookie($key = 123) + function DolCookie($key = '') { $this->myKey = $key; $this->cookiearray = array(); @@ -55,10 +55,17 @@ */ function cryptCookie() { - $valuecrypt = base64_encode($this->myValue); - for ($f=0 ; $f<=strlen($valuecrypt)-1; $f++) + if (!empty($this->myKey)) + { + $valuecrypt = base64_encode($this->myValue); + for ($f=0 ; $f<=strlen($valuecrypt)-1; $f++) + { + $this->cookie .= intval(ord($valuecrypt[$f]))*$this->myKey."|"; + } + } + else { - $this->cookie .= intval(ord($valuecrypt[$f]))*$this->myKey."|"; + $this->cookie = $this->myValue; } setcookie($this->myCookie, $this->cookie, $this->myExpire, $this->myPath, $this->myDomain, $this->mySecure); @@ -69,14 +76,21 @@ */ function decryptCookie() { - $this->cookiearray = explode("|",$_COOKIE[$this->myCookie]); - $this->myValue = "" ; - for ($f=0 ; $f<=count($this->cookiearray)-2; $f++) + if (!empty($this->myKey)) { - $this->myValue .= strval(chr($this->cookiearray[$f]/$this->myKey)); + $this->cookiearray = explode("|",$_COOKIE[$this->myCookie]); + $this->myValue = "" ; + for ($f=0 ; $f<=count($this->cookiearray)-2; $f++) + { + $this->myValue .= strval(chr($this->cookiearray[$f]/$this->myKey)); + } + + return(base64_decode($this->myValue)) ; + } + else + { + return($_COOKIE[$this->myCookie]); } - - return(base64_decode($this->myValue)) ; } /** @@ -93,6 +107,8 @@ $this->myDomain = $domain; $this->mySsecure = $secure; + //print 'key='.$this->myKey.' name='.$this->myCookie.' value='.$this->myValue.' expire='.$this->myExpire; + $this->cryptCookie(); } diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php index a6a3046af70..c488a46a89a 100644 --- a/htdocs/lib/security.lib.php +++ b/htdocs/lib/security.lib.php @@ -168,13 +168,28 @@ function dol_loginfunction($langs,$conf,$mysoc) if (! empty($conf->global->MAIN_MODULE_MULTICOMPANY)) { $html = new Form($db); + $lastentity = ''; + + if (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE)) + { + $entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); + if (isset($_COOKIE[$entityCookieName])) + { + include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php"); + + $cryptkey = (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE_CRYPTKEY) ? $conf->global->MAIN_MULTICOMPANY_COOKIE_CRYPTKEY : '' ); + + $entityCookie = new DolCookie($cryptkey); + $lastentity = $entityCookie->_getCookie($entityCookieName); + } + } //TODO: creer class $entity = array('1'=>'company1','2'=>'company2'); print '   '.$langs->trans("Entity").'   '; print ''; - print $html->selectarray('entity',$entity,'',0,0,0,1,'tabindex="3"'); + print $html->selectarray('entity',$entity,$lastentity,0,0,0,1,'tabindex="3"'); print ''; } diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 2bab5528913..ea3e6ea1e5f 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -126,9 +126,6 @@ if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessio session_name($sessionname); session_start(); -// Security. TODO Check if this is usefull. -//if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand(); - // Set and init common variables // This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects require_once("master.inc.php"); @@ -184,6 +181,7 @@ if (isset($_POST['token']) && isset($_SESSION['token_level_1']) && isset($_SESSI if (($_POST['token'] != $_SESSION['token_level_1']) && ($_POST['token'] != $_SESSION['token_level_2'])) { dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".$_POST['action'].", _POST['token']=".$_POST['token'].", _SESSION['token_level_1']=".$_SESSION['token_level_1'].", _SESSION['token_level_2']=".$_SESSION['token_level_2']); + print 'Unset POST by CSRF protection in main.inc.php.'; unset($_POST); } } @@ -442,27 +440,21 @@ if (! isset($_SESSION["dol_login"])) $db->commit(); } - // Create entity cookie - // TODO Replace cookie usage to store entity in session to make code so much simpler with no - // need to crypt, no need to use token, etc... - // No data specific to session must be stored in cookies as this is the goal of session - // object and not cookie. Saving entity in session should save a large amount of useless code, - // make code cleaner and solve pb of forged cookie. -/* if ($conf->multicompany->enabled && isset($_POST["entity"])) + // Create entity cookie, just used for login page + if (!empty($conf->global->MAIN_MODULE_MULTICOMPANY) && !empty($conf->global->MAIN_MULTICOMPANY_COOKIE) && isset($_POST["entity"])) { - include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php"); + include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php"); $entity = $_POST["entity"]; - $entityCookieName = "DOLENTITYID_dolibarr"; - - if (!isset($_COOKIE[$entityCookieName])) - { - // Utilisation de $_SESSION['cryptkey'] comme cle de cryptage - $entityCookie = new DolCookie($_SESSION['cryptkey']); - $entityCookie->_setCookie($entityCookieName, $entity); - } + $entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); + // TTL : sera defini dans la page de config multicompany + $ttl = (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE_TTL) ? $conf->global->MAIN_MULTICOMPANY_COOKIE_TTL : time()+60*60*8 ); + // Cryptkey : sera cree aleatoirement dans la page de config multicompany + $cryptkey = (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE_CRYPTKEY) ? $conf->global->MAIN_MULTICOMPANY_COOKIE_CRYPTKEY : '' ); + + $entityCookie = new DolCookie($cryptkey); + $entityCookie->_setCookie($entityCookieName, $entity); } -*/ // Module webcalendar if (! empty($conf->webcal->enabled) && $user->webcal_login != "") diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index b9401eba70f..5601a24735a 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -213,28 +213,9 @@ if (! defined('NOREQUIREDB')) { $conf->entity = $_ENV["dol_entity"]; } - else // Entity from login page + elseif (isset($_POST["loginfunction"]) && isset($_POST["entity"])) // Just after a login page { - if (isset($_POST["loginfunction"]) && isset($_POST["entity"])) // Just after a login page - { - $conf->entity = $_POST["entity"]; - } - else - { - // TODO MULTICOMP This can be removed now. - // Cookie usage replaced with session to save a lot of code and avoid cookie forging. - /* - $entityCookieName="DOLENTITYID_dolibarr"; - if (isset($_COOKIE[$entityCookieName])) // Should not be used anymore - { - include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php"); - - // Utilisation de $_SESSION['cryptkey'] comme cle de cryptage - $entityCookie = new DolCookie($_SESSION['cryptkey']); - $conf->entity = $entityCookie->_getCookie($entityCookieName); - } - */ - } + $conf->entity = $_POST["entity"]; } $conf->setValues($db); } diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php index 68cabda53f8..eb65b0cf900 100644 --- a/htdocs/user/logout.php +++ b/htdocs/user/logout.php @@ -55,14 +55,6 @@ session_name($sessionname); session_destroy(); dol_syslog("End of session ".$sessionname); -// Destroy entity cookie -// TODO MULTICOMP Must fix this. Use session instead of cookie. -if ($conf->multicompany->enabled) -{ - $entityCookieName = "DOLENTITYID_dolibarr"; - setcookie($entityCookieName, '', 1, "/"); -} - // Define url to go $url=DOL_URL_ROOT."/index.php"; // By default go to login page if ($urlfrom)