Session name DOLSESSID_databasename is replace with DOLSESSID_dolibarrwebinstance. This remove a key read in conf.class.php used to name session because, to make code simpler, we will need to create session before the conf is loaded. This is also most secure because it is possible to use 2 dolibarr instances even if database names are same on two different mysql server.
Add also comments on code to remember to simplify things.
This commit is contained in:
Laurent Destailleur
parent
8fe962991f
commit
9a38002c46
@ -63,6 +63,8 @@ $var=true;
|
||||
print '<table class="noborder" width="100%">';
|
||||
print '<tr class="liste_titre"><td>'.$langs->trans("Session").'</td><td colspan="2">'.$langs->trans("Value").'</td></tr>'."\n";
|
||||
$var=!$var;
|
||||
print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("SessionName").'</td><td colspan="2">'.session_name()."</td></tr>\n";
|
||||
$var=!$var;
|
||||
print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("SessionId").'</td><td colspan="2">'.session_id()."</td></tr>\n";
|
||||
$var=!$var;
|
||||
print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("CurrentSessionTimeOut").'</td><td>'.ini_get('session.gc_maxlifetime').' '.$langs->trans("seconds");
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2007-2008 Jérémie Ollivier <jeremie.o@laposte.net>
|
||||
/* Copyright (C) 2007-2008 J<EFBFBD>r<EFBFBD>mie Ollivier <jeremie.o@laposte.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -18,18 +18,19 @@
|
||||
include('../master.inc.php');
|
||||
|
||||
// Init session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
// Init session. Name of session is specific to Dolibarr instance.
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
|
||||
|
||||
// Destroy session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_destroy();
|
||||
dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name);
|
||||
dol_syslog("End of session ".$sessionname);
|
||||
|
||||
|
||||
header ('Location: index.php');
|
||||
|
||||
@ -16,8 +16,8 @@
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*/
|
||||
|
||||
// Init session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
// Init session. Name of session is specific to Dolibarr instance.
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2007-2008 Jérémie Ollivier <jeremie.o@laposte.net>
|
||||
/* Copyright (C) 2007-2008 J<EFBFBD>r<EFBFBD>mie Ollivier <jeremie.o@laposte.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -17,8 +17,8 @@
|
||||
*/
|
||||
include('../master.inc.php');
|
||||
|
||||
// Init session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
// Init session. Name of session is specific to Dolibarr instance.
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
@ -40,7 +40,7 @@ if ( $_SESSION['uid'] > 0 ) {
|
||||
|
||||
<meta name="robots" content="none" />
|
||||
|
||||
<meta name="author" content="Jérémie Ollivier - jeremie.o@laposte.net" />
|
||||
<meta name="author" content="J<EFBFBD>r<EFBFBD>mie Ollivier - jeremie.o@laposte.net" />
|
||||
<meta name="Generator" content="Kwrite, Gimp, Inkscape" />
|
||||
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-15" />
|
||||
|
||||
@ -35,8 +35,8 @@ require_once("../master.inc.php");
|
||||
require_once DOL_DOCUMENT_ROOT.'/../external-libs/Artichow/Artichow.cfg.php';
|
||||
require_once ARTICHOW."/AntiSpam.class.php";
|
||||
|
||||
// Init session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
// Init session. Name of session is specific to Dolibarr instance.
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
|
||||
@ -118,16 +118,18 @@ if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERV
|
||||
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
|
||||
|
||||
// Security session
|
||||
// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some session handlers
|
||||
$sessionname="DOLSESSID_SECURITY";
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand();
|
||||
|
||||
// Set and init common variables
|
||||
// This include will set: $conf, $langs and $mysoc objects
|
||||
// This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects
|
||||
require_once("master.inc.php");
|
||||
|
||||
//Fermeture de la session de securite, ses donnees sont sauvegardees
|
||||
// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some web servers.
|
||||
session_write_close();
|
||||
|
||||
// Check if HTTPS
|
||||
@ -169,8 +171,8 @@ if (! defined('NOREQUIREHTML')) require_once(DOL_DOCUMENT_ROOT ."/html.form.clas
|
||||
if (! defined('NOREQUIREAJAX') && $conf->use_javascript_ajax) require_once(DOL_DOCUMENT_ROOT.'/lib/ajax.lib.php'); // Need 20ko memory
|
||||
//stopwithmem();
|
||||
|
||||
// Init session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
// Init session. Name of session is specific to Dolibarr instance.
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
@ -448,6 +450,11 @@ if (! isset($_SESSION["dol_login"]))
|
||||
}
|
||||
|
||||
// Create entity cookie
|
||||
// TODO Replace cookie usage to store entity in session to make code so much simpler with no
|
||||
// need to crypt, no need to use token, etc...
|
||||
// No data specific to session must be stored in cookies as this is the goal of session
|
||||
// object and not cookie. Saving entity in session should save a large amount of useless code,
|
||||
// make code cleaner and solve pb of forged cookie.
|
||||
if ($conf->multicompany->enabled && isset($_POST["entity"]))
|
||||
{
|
||||
include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php");
|
||||
@ -455,7 +462,7 @@ if (! isset($_SESSION["dol_login"]))
|
||||
$entity = $_POST["entity"];
|
||||
$entityCookieName = "DOLENTITYID_dolibarr";
|
||||
|
||||
if (!isset($HTTP_COOKIE_VARS[$entityCookieName]))
|
||||
if (!isset($_COOKIE[$entityCookieName]))
|
||||
{
|
||||
// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage
|
||||
$entityCookie = new DolCookie($_SESSION['cryptkey']);
|
||||
@ -467,18 +474,16 @@ if (! isset($_SESSION["dol_login"]))
|
||||
if (! empty($conf->webcal->enabled) && $user->webcal_login != "")
|
||||
{
|
||||
$domain='';
|
||||
// Extract domain from url (Useless because only cookie on same domain are authorized by browser
|
||||
//if (eregi('^(https:[\\\/]+[^\\\/]+)',$conf->global->PHPWEBCALENDAR_URL,$reg)) $domain=$reg[1];
|
||||
|
||||
// Creation du cookie permettant de sauver le login
|
||||
$cookiename='webcalendar_login';
|
||||
if (! isset($HTTP_COOKIE_VARS[$cookiename]))
|
||||
if (! isset($_COOKIE[$cookiename]))
|
||||
{
|
||||
setcookie($cookiename, $user->webcal_login, 0, "/", $domain, 0);
|
||||
}
|
||||
// Creation du cookie permettant de sauver la session
|
||||
$cookiename='webcalendar_session';
|
||||
if (! isset($HTTP_COOKIE_VARS[$cookiename]))
|
||||
if (! isset($_COOKIE[$cookiename]))
|
||||
{
|
||||
setcookie($cookiename, 'TODO', 0, "/", $domain, 0);
|
||||
}
|
||||
@ -488,7 +493,7 @@ if (! isset($_SESSION["dol_login"]))
|
||||
if (! empty($conf->phenix->enabled) && $user->phenix_login != "" && $conf->phenix->cookie)
|
||||
{
|
||||
// Creation du cookie permettant la connexion automatique, valide jusqu'a la fermeture du browser
|
||||
if (!isset($HTTP_COOKIE_VARS[$conf->phenix->cookie]))
|
||||
if (!isset($_COOKIE[$conf->phenix->cookie]))
|
||||
{
|
||||
setcookie($conf->phenix->cookie, $user->phenix_login.":".$user->phenix_pass_crypted.":1", 0, "/", "", 0);
|
||||
}
|
||||
|
||||
@ -205,6 +205,9 @@ if (! defined('NOREQUIREUSER'))
|
||||
*/
|
||||
if (! defined('NOREQUIREDB'))
|
||||
{
|
||||
// TODO MULTICOMP Must fix this. Using cookie object inside the master.inc.php
|
||||
// should be forbidden. Must replace cookie usage with session to save
|
||||
// a lot of code and avoid cookie forging.
|
||||
$entityCookieName="DOLENTITYID_dolibarr";
|
||||
// Retrieve the entity
|
||||
if (isset($_POST["loginfunction"]) && isset($_POST["entity"])) // Just after a login page
|
||||
@ -221,7 +224,7 @@ if (! defined('NOREQUIREDB'))
|
||||
}
|
||||
elseif (session_id() && isset($_SESSION["dol_entity"])) // Inside an opened session
|
||||
{
|
||||
// TODO This is not used for the moment as session is started after for the moment
|
||||
// TODO MULTICOMP This is not used for the moment as session is started after for the moment
|
||||
$conf->entity = $_SESSION["dol_entity"];
|
||||
}
|
||||
elseif (isset($_ENV["dol_entity"])) // If inside a CLI script
|
||||
|
||||
@ -27,7 +27,9 @@
|
||||
*/
|
||||
|
||||
// Creation d'un jeton contre les failles CSRF
|
||||
$sessionname="DOLSESSID_PAYBOX";
|
||||
|
||||
// Init session. Name of session is specific to Dolibarr instance.
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
$token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
|
||||
|
||||
@ -45,28 +45,31 @@ if ($conf->phenix->enabled && $conf->phenix->cookie)
|
||||
}
|
||||
|
||||
// Destroy session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_destroy();
|
||||
dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name);
|
||||
dol_syslog("End of session ".$sessionname);
|
||||
|
||||
// Destroy security session
|
||||
// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some PHP session handlers.
|
||||
$sessionname="DOLSESSID_SECURITY";
|
||||
session_name($sessionname);
|
||||
session_destroy();
|
||||
dol_syslog("End security session in DOLSESSID_".$dolibarr_main_db_name);
|
||||
dol_syslog("End of session ".$sessionname);
|
||||
|
||||
// Init session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
// Init session. Name of session is specific to Dolibarr instance.
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
|
||||
|
||||
session_unregister("dol_login");
|
||||
session_unregister("dol_entity");
|
||||
|
||||
// Destroy entity cookie
|
||||
// TODO MULTICOMP Must fix this. Use session instead of cookie.
|
||||
if ($conf->multicompany->enabled)
|
||||
{
|
||||
$entityCookieName = "DOLENTITYID_dolibarr";
|
||||
|
||||
@ -30,8 +30,8 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php");
|
||||
require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
|
||||
require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php");
|
||||
|
||||
// Init session
|
||||
$sessionname="DOLSESSID_".$dolibarr_main_db_name;
|
||||
// Init session. Name of session is specific to Dolibarr instance.
|
||||
$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
|
||||
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
|
||||
session_name($sessionname);
|
||||
session_start();
|
||||
|
||||
Loading…
Reference in New Issue
Block a user