From 8e167d3f80a506c39f3e09b3fb38f22abcf57217 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 22 May 2009 00:20:45 +0000 Subject: [PATCH] Qual: Now creation of session is done before the loading of conf. This make code much easier to understand. --- htdocs/lib/security.lib.php | 4 ++++ htdocs/main.inc.php | 11 ++++++----- htdocs/master.inc.php | 2 ++ 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php index 4d1531487a1..a6a3046af70 100644 --- a/htdocs/lib/security.lib.php +++ b/htdocs/lib/security.lib.php @@ -43,6 +43,10 @@ function dol_loginfunction($langs,$conf,$mysoc) header('Cache-Control: Public, must-revalidate'); header("Content-type: text/html; charset=".$conf->file->character_set_client); + // Set cookie for timeout management + $sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); + if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0); + if (! empty($_REQUEST["urlfrom"])) $_SESSION["urlfrom"]=$_REQUEST["urlfrom"]; else unset($_SESSION["urlfrom"]); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index cdaf9703727..2bab5528913 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -121,13 +121,13 @@ set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); // Init session. Name of session is specific to Dolibarr instance. $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($_SERVER["DOLSESSTIMEOUT"])) ini_set('session.gc_maxlifetime',$_SERVER["DOLSESSTIMEOUT"]); -if (! empty($_COOKIE["DOLSESSTIMEOUT"])) ini_set('session.gc_maxlifetime',$_REQUEST["DOLSESSTIMEOUT"]); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); session_name($sessionname); session_start(); // Security. TODO Check if this is usefull. -if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand(); +//if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand(); // Set and init common variables // This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects @@ -189,7 +189,7 @@ if (isset($_POST['token']) && isset($_SESSION['token_level_1']) && isset($_SESSI } -// Disable modules (this must be after session_start and after conf has been reloaded) +// Disable modules (this must be after session_start and after conf has been loaded) if (! empty($_REQUEST["disablemodules"])) $_SESSION["disablemodules"]=$_REQUEST["disablemodules"]; if (! empty($_SESSION["disablemodules"])) { @@ -448,7 +448,7 @@ if (! isset($_SESSION["dol_login"])) // No data specific to session must be stored in cookies as this is the goal of session // object and not cookie. Saving entity in session should save a large amount of useless code, // make code cleaner and solve pb of forged cookie. - if ($conf->multicompany->enabled && isset($_POST["entity"])) +/* if ($conf->multicompany->enabled && isset($_POST["entity"])) { include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php"); @@ -462,6 +462,7 @@ if (! isset($_SESSION["dol_login"])) $entityCookie->_setCookie($entityCookieName, $entity); } } +*/ // Module webcalendar if (! empty($conf->webcal->enabled) && $user->webcal_login != "") diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index 001da3b669d..b9401eba70f 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -223,6 +223,7 @@ if (! defined('NOREQUIREDB')) { // TODO MULTICOMP This can be removed now. // Cookie usage replaced with session to save a lot of code and avoid cookie forging. + /* $entityCookieName="DOLENTITYID_dolibarr"; if (isset($_COOKIE[$entityCookieName])) // Should not be used anymore { @@ -232,6 +233,7 @@ if (! defined('NOREQUIREDB')) $entityCookie = new DolCookie($_SESSION['cryptkey']); $conf->entity = $entityCookie->_getCookie($entityCookieName); } + */ } } $conf->setValues($db);