diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php
index 5c5d1801b60..fda0b3a2b19 100644
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -63,6 +63,8 @@ $var=true;
 print '<table class="noborder" width="100%">';
 print '<tr class="liste_titre"><td>'.$langs->trans("Session").'</td><td colspan="2">'.$langs->trans("Value").'</td></tr>'."\n";
 $var=!$var;
+print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("SessionName").'</td><td colspan="2">'.session_name()."</td></tr>\n";
+$var=!$var;
 print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("SessionId").'</td><td colspan="2">'.session_id()."</td></tr>\n";
 $var=!$var;
 print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("CurrentSessionTimeOut").'</td><td>'.ini_get('session.gc_maxlifetime').' '.$langs->trans("seconds");
diff --git a/htdocs/cashdesk/deconnexion.php b/htdocs/cashdesk/deconnexion.php
index 0b94f35b2a0..f7b510516ac 100644
--- a/htdocs/cashdesk/deconnexion.php
+++ b/htdocs/cashdesk/deconnexion.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2007-2008 Jérémie Ollivier <jeremie.o@laposte.net>
+/* Copyright (C) 2007-2008 Jďż˝rďż˝mie Ollivier <jeremie.o@laposte.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -18,18 +18,19 @@
 include('../master.inc.php');
 
 // Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
 dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
 
 // Destroy session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_destroy();
-dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name);
+dol_syslog("End of session ".$sessionname);
 
 
 header ('Location: index.php');
diff --git a/htdocs/cashdesk/include/environnement.php b/htdocs/cashdesk/include/environnement.php
index 3fe3aad515a..8d243fbdab6 100644
--- a/htdocs/cashdesk/include/environnement.php
+++ b/htdocs/cashdesk/include/environnement.php
@@ -16,8 +16,8 @@
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  */
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php
index 223770c0e88..cd793ca2b45 100644
--- a/htdocs/cashdesk/index.php
+++ b/htdocs/cashdesk/index.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2007-2008 Jérémie Ollivier <jeremie.o@laposte.net>
+/* Copyright (C) 2007-2008 Jďż˝rďż˝mie Ollivier <jeremie.o@laposte.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -17,8 +17,8 @@
  */
 include('../master.inc.php');
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
@@ -40,7 +40,7 @@ if ( $_SESSION['uid'] > 0 ) {
 
 <meta name="robots" content="none" />
 
-<meta name="author" content="Jérémie Ollivier - jeremie.o@laposte.net" />
+<meta name="author" content="Jďż˝rďż˝mie Ollivier - jeremie.o@laposte.net" />
 <meta name="Generator" content="Kwrite, Gimp, Inkscape" />
 
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-15" />
diff --git a/htdocs/lib/antispamimage.php b/htdocs/lib/antispamimage.php
index e579ec70544..8636372a86b 100644
--- a/htdocs/lib/antispamimage.php
+++ b/htdocs/lib/antispamimage.php
@@ -35,8 +35,8 @@ require_once("../master.inc.php");
 require_once DOL_DOCUMENT_ROOT.'/../external-libs/Artichow/Artichow.cfg.php';
 require_once ARTICHOW."/AntiSpam.class.php";
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d97667a9dde..737d4ad8499 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -118,16 +118,18 @@ if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERV
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 
 // Security session
+// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some session handlers
 $sessionname="DOLSESSID_SECURITY";
 session_name($sessionname);
 session_start();
 if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand();
 
 // Set and init common variables
-// This include will set: $conf, $langs and $mysoc objects
+// This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects
 require_once("master.inc.php");
 
 //Fermeture de la session de securite, ses donnees sont sauvegardees
+// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some web servers.
 session_write_close();
 
 // Check if HTTPS
@@ -169,8 +171,8 @@ if (! defined('NOREQUIREHTML')) require_once(DOL_DOCUMENT_ROOT ."/html.form.clas
 if (! defined('NOREQUIREAJAX') && $conf->use_javascript_ajax) require_once(DOL_DOCUMENT_ROOT.'/lib/ajax.lib.php');	// Need 20ko memory
 //stopwithmem();
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
@@ -448,6 +450,11 @@ if (! isset($_SESSION["dol_login"]))
 	}
 
 	// Create entity cookie
+	// TODO Replace cookie usage to store entity in session to make code so much simpler with no
+	// need to crypt, no need to use token, etc...
+	// No data specific to session must be stored in cookies as this is the goal of session
+	// object and not cookie. Saving entity in session should  save a large amount of useless code,
+	// make code cleaner and solve pb of forged cookie.
 	if ($conf->multicompany->enabled && isset($_POST["entity"]))
 	{
 		include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php");
@@ -455,7 +462,7 @@ if (! isset($_SESSION["dol_login"]))
 		$entity = $_POST["entity"];
 		$entityCookieName = "DOLENTITYID_dolibarr";
 
-		if (!isset($HTTP_COOKIE_VARS[$entityCookieName]))
+		if (!isset($_COOKIE[$entityCookieName]))
 		{
 			// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage
 			$entityCookie = new DolCookie($_SESSION['cryptkey']);
@@ -467,18 +474,16 @@ if (! isset($_SESSION["dol_login"]))
 	if (! empty($conf->webcal->enabled) && $user->webcal_login != "")
 	{
 		$domain='';
-		// Extract domain from url (Useless because only cookie on same domain are authorized by browser
-		//if (eregi('^(https:[\\\/]+[^\\\/]+)',$conf->global->PHPWEBCALENDAR_URL,$reg)) $domain=$reg[1];
 
 		// Creation du cookie permettant de sauver le login
 		$cookiename='webcalendar_login';
-		if (! isset($HTTP_COOKIE_VARS[$cookiename]))
+		if (! isset($_COOKIE[$cookiename]))
 		{
 			setcookie($cookiename, $user->webcal_login, 0, "/", $domain, 0);
 		}
 		// Creation du cookie permettant de sauver la session
 		$cookiename='webcalendar_session';
-		if (! isset($HTTP_COOKIE_VARS[$cookiename]))
+		if (! isset($_COOKIE[$cookiename]))
 		{
 			setcookie($cookiename, 'TODO', 0, "/", $domain, 0);
 		}
@@ -488,7 +493,7 @@ if (! isset($_SESSION["dol_login"]))
 	if (! empty($conf->phenix->enabled) && $user->phenix_login != "" && $conf->phenix->cookie)
 	{
 		// Creation du cookie permettant la connexion automatique, valide jusqu'a la fermeture du browser
-		if (!isset($HTTP_COOKIE_VARS[$conf->phenix->cookie]))
+		if (!isset($_COOKIE[$conf->phenix->cookie]))
 		{
 			setcookie($conf->phenix->cookie, $user->phenix_login.":".$user->phenix_pass_crypted.":1", 0, "/", "", 0);
 		}
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 4ce6de3f687..9e46d3bccc4 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -205,6 +205,9 @@ if (! defined('NOREQUIREUSER'))
  */
 if (! defined('NOREQUIREDB'))
 {
+	// TODO MULTICOMP Must fix this. Using cookie object inside the master.inc.php
+	// should be forbidden. Must replace cookie usage with session to save
+	// a lot of code and avoid cookie forging.
 	$entityCookieName="DOLENTITYID_dolibarr";
 	// Retrieve the entity
 	if (isset($_POST["loginfunction"]) && isset($_POST["entity"]))	// Just after a login page
@@ -221,7 +224,7 @@ if (! defined('NOREQUIREDB'))
 	}
 	elseif (session_id() && isset($_SESSION["dol_entity"]))			// Inside an opened session
 	{
-		// TODO This is not used for the moment as session is started after for the moment
+		// TODO MULTICOMP This is not used for the moment as session is started after for the moment
 		$conf->entity = $_SESSION["dol_entity"];
 	}
 	elseif (isset($_ENV["dol_entity"]))								// If inside a CLI script
diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php
index f5bd30c8ddd..52ca5510caa 100644
--- a/htdocs/public/paybox/newpayment.php
+++ b/htdocs/public/paybox/newpayment.php
@@ -27,7 +27,9 @@
  */
 
 // Creation d'un jeton contre les failles CSRF
-$sessionname="DOLSESSID_PAYBOX";
+
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 session_name($sessionname);
 session_start();
 $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php
index a0757962b0e..49c4bd341d2 100644
--- a/htdocs/user/logout.php
+++ b/htdocs/user/logout.php
@@ -45,28 +45,31 @@ if ($conf->phenix->enabled && $conf->phenix->cookie)
 }
 
 // Destroy session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_destroy();
-dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name);
+dol_syslog("End of session ".$sessionname);
 
 // Destroy security session
+// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some PHP session handlers.
 $sessionname="DOLSESSID_SECURITY";
 session_name($sessionname);
 session_destroy();
-dol_syslog("End security session in DOLSESSID_".$dolibarr_main_db_name);
+dol_syslog("End of session ".$sessionname);
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
 dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
 
 session_unregister("dol_login");
+session_unregister("dol_entity");
 
 // Destroy entity cookie
+// TODO MULTICOMP Must fix this. Use session instead of cookie.
 if ($conf->multicompany->enabled)
 {
 	$entityCookieName = "DOLENTITYID_dolibarr";
diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php
index b3d6424b887..fd9e01e85dd 100644
--- a/htdocs/user/passwordforgotten.php
+++ b/htdocs/user/passwordforgotten.php
@@ -30,8 +30,8 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php");
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();

'.$langs->trans("Session").'	'.$langs->trans("Value").'
".$langs->trans("SessionName").'	'.session_name()."
".$langs->trans("SessionId").'	'.session_id()."
".$langs->trans("CurrentSessionTimeOut").'	'.ini_get('session.gc_maxlifetime').' '.$langs->trans("seconds"); diff --git a/htdocs/cashdesk/deconnexion.php b/htdocs/cashdesk/deconnexion.php index 0b94f35b2a0..f7b510516ac 100644 --- a/htdocs/cashdesk/deconnexion.php +++ b/htdocs/cashdesk/deconnexion.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2007-2008 Jďż˝rďż˝mie Ollivier * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -18,18 +18,19 @@ include('../master.inc.php'); // Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); // Destroy session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_destroy(); -dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name); +dol_syslog("End of session ".$sessionname); header ('Location: index.php'); diff --git a/htdocs/cashdesk/include/environnement.php b/htdocs/cashdesk/include/environnement.php index 3fe3aad515a..8d243fbdab6 100644 --- a/htdocs/cashdesk/include/environnement.php +++ b/htdocs/cashdesk/include/environnement.php @@ -16,8 +16,8 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. / -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php index 223770c0e88..cd793ca2b45 100644 --- a/htdocs/cashdesk/index.php +++ b/htdocs/cashdesk/index.php @@ -1,5 +1,5 @@ +/ Copyright (C) 2007-2008 Jďż˝rďż˝mie Ollivier * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -17,8 +17,8 @@ / include('../master.inc.php'); -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); @@ -40,7 +40,7 @@ if ( $_SESSION['uid'] > 0 ) { - + diff --git a/htdocs/lib/antispamimage.php b/htdocs/lib/antispamimage.php index e579ec70544..8636372a86b 100644 --- a/htdocs/lib/antispamimage.php +++ b/htdocs/lib/antispamimage.php @@ -35,8 +35,8 @@ require_once("../master.inc.php"); require_once DOL_DOCUMENT_ROOT.'/../external-libs/Artichow/Artichow.cfg.php'; require_once ARTICHOW."/AntiSpam.class.php"; -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index d97667a9dde..737d4ad8499 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -118,16 +118,18 @@ if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERV set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); // Security session +// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some session handlers $sessionname="DOLSESSID_SECURITY"; session_name($sessionname); session_start(); if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand(); // Set and init common variables -// This include will set: $conf, $langs and $mysoc objects +// This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects require_once("master.inc.php"); //Fermeture de la session de securite, ses donnees sont sauvegardees +// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some web servers. session_write_close(); // Check if HTTPS @@ -169,8 +171,8 @@ if (! defined('NOREQUIREHTML')) require_once(DOL_DOCUMENT_ROOT ."/html.form.clas if (! defined('NOREQUIREAJAX') && $conf->use_javascript_ajax) require_once(DOL_DOCUMENT_ROOT.'/lib/ajax.lib.php'); // Need 20ko memory //stopwithmem(); -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); @@ -448,6 +450,11 @@ if (! isset($_SESSION["dol_login"])) } // Create entity cookie + // TODO Replace cookie usage to store entity in session to make code so much simpler with no + // need to crypt, no need to use token, etc... + // No data specific to session must be stored in cookies as this is the goal of session + // object and not cookie. Saving entity in session should save a large amount of useless code, + // make code cleaner and solve pb of forged cookie. if ($conf->multicompany->enabled && isset($_POST["entity"])) { include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php"); @@ -455,7 +462,7 @@ if (! isset($_SESSION["dol_login"])) $entity = $_POST["entity"]; $entityCookieName = "DOLENTITYID_dolibarr"; - if (!isset($HTTP_COOKIE_VARS[$entityCookieName])) + if (!isset($_COOKIE[$entityCookieName])) { // Utilisation de $_SESSION['cryptkey'] comme cle de cryptage $entityCookie = new DolCookie($_SESSION['cryptkey']); @@ -467,18 +474,16 @@ if (! isset($_SESSION["dol_login"])) if (! empty($conf->webcal->enabled) && $user->webcal_login != "") { $domain=''; - // Extract domain from url (Useless because only cookie on same domain are authorized by browser - //if (eregi('^(https:[\\\/]+[^\\\/]+)',$conf->global->PHPWEBCALENDAR_URL,$reg)) $domain=$reg[1]; // Creation du cookie permettant de sauver le login $cookiename='webcalendar_login'; - if (! isset($HTTP_COOKIE_VARS[$cookiename])) + if (! isset($_COOKIE[$cookiename])) { setcookie($cookiename, $user->webcal_login, 0, "/", $domain, 0); } // Creation du cookie permettant de sauver la session $cookiename='webcalendar_session'; - if (! isset($HTTP_COOKIE_VARS[$cookiename])) + if (! isset($_COOKIE[$cookiename])) { setcookie($cookiename, 'TODO', 0, "/", $domain, 0); } @@ -488,7 +493,7 @@ if (! isset($_SESSION["dol_login"])) if (! empty($conf->phenix->enabled) && $user->phenix_login != "" && $conf->phenix->cookie) { // Creation du cookie permettant la connexion automatique, valide jusqu'a la fermeture du browser - if (!isset($HTTP_COOKIE_VARS[$conf->phenix->cookie])) + if (!isset($_COOKIE[$conf->phenix->cookie])) { setcookie($conf->phenix->cookie, $user->phenix_login.":".$user->phenix_pass_crypted.":1", 0, "/", "", 0); } diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index 4ce6de3f687..9e46d3bccc4 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -205,6 +205,9 @@ if (! defined('NOREQUIREUSER')) / if (! defined('NOREQUIREDB')) { + // TODO MULTICOMP Must fix this. Using cookie object inside the master.inc.php + // should be forbidden. Must replace cookie usage with session to save + // a lot of code and avoid cookie forging. $entityCookieName="DOLENTITYID_dolibarr"; // Retrieve the entity if (isset($_POST["loginfunction"]) && isset($_POST["entity"])) // Just after a login page @@ -221,7 +224,7 @@ if (! defined('NOREQUIREDB')) } elseif (session_id() && isset($_SESSION["dol_entity"])) // Inside an opened session { - // TODO This is not used for the moment as session is started after for the moment + // TODO MULTICOMP This is not used for the moment as session is started after for the moment $conf->entity = $_SESSION["dol_entity"]; } elseif (isset($_ENV["dol_entity"])) // If inside a CLI script diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php index f5bd30c8ddd..52ca5510caa 100644 --- a/htdocs/public/paybox/newpayment.php +++ b/htdocs/public/paybox/newpayment.php @@ -27,7 +27,9 @@ */ // Creation d'un jeton contre les failles CSRF -$sessionname="DOLSESSID_PAYBOX"; + +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); session_name($sessionname); session_start(); $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php index a0757962b0e..49c4bd341d2 100644 --- a/htdocs/user/logout.php +++ b/htdocs/user/logout.php @@ -45,28 +45,31 @@ if ($conf->phenix->enabled && $conf->phenix->cookie) } // Destroy session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_destroy(); -dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name); +dol_syslog("End of session ".$sessionname); // Destroy security session +// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some PHP session handlers. $sessionname="DOLSESSID_SECURITY"; session_name($sessionname); session_destroy(); -dol_syslog("End security session in DOLSESSID_".$dolibarr_main_db_name); +dol_syslog("End of session ".$sessionname); -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); session_unregister("dol_login"); +session_unregister("dol_entity"); // Destroy entity cookie +// TODO MULTICOMP Must fix this. Use session instead of cookie. if ($conf->multicompany->enabled) { $entityCookieName = "DOLENTITYID_dolibarr"; diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index b3d6424b887..fd9e01e85dd 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -30,8 +30,8 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php"); require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php"); require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php"); -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start();