From 9a38002c46fe6f32d5db18e13604b4866ead184f Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Thu, 21 May 2009 13:37:18 +0000
Subject: [PATCH] Session name DOLSESSID_databasename is replace with
 DOLSESSID_dolibarrwebinstance. This remove a key read in conf.class.php used
 to name session because, to make code simpler, we will need to create session
 before the conf is loaded. This is also most secure because it is possible to
 use 2 dolibarr instances even if database names are same on two different
 mysql server. Add also comments on code to remember to simplify things.

---
 htdocs/admin/system/dolibarr.php          |  2 ++
 htdocs/cashdesk/deconnexion.php           |  9 +++++----
 htdocs/cashdesk/include/environnement.php |  4 ++--
 htdocs/cashdesk/index.php                 |  8 ++++----
 htdocs/lib/antispamimage.php              |  4 ++--
 htdocs/main.inc.php                       | 23 ++++++++++++++---------
 htdocs/master.inc.php                     |  5 ++++-
 htdocs/public/paybox/newpayment.php       |  4 +++-
 htdocs/user/logout.php                    | 13 ++++++++-----
 htdocs/user/passwordforgotten.php         |  4 ++--
 10 files changed, 46 insertions(+), 30 deletions(-)
diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php
index 5c5d1801b60..fda0b3a2b19 100644
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -63,6 +63,8 @@ $var=true;
 print '<table class="noborder" width="100%">';
 print '<tr class="liste_titre"><td>'.$langs->trans("Session").'</td><td colspan="2">'.$langs->trans("Value").'</td></tr>'."\n";
 $var=!$var;
+print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("SessionName").'</td><td colspan="2">'.session_name()."</td></tr>\n";
+$var=!$var;
 print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("SessionId").'</td><td colspan="2">'.session_id()."</td></tr>\n";
 $var=!$var;
 print "<tr ".$bc[$var]."><td width=\"300\">".$langs->trans("CurrentSessionTimeOut").'</td><td>'.ini_get('session.gc_maxlifetime').' '.$langs->trans("seconds");
diff --git a/htdocs/cashdesk/deconnexion.php b/htdocs/cashdesk/deconnexion.php
index 0b94f35b2a0..f7b510516ac 100644
--- a/htdocs/cashdesk/deconnexion.php
+++ b/htdocs/cashdesk/deconnexion.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2007-2008 Jérémie Ollivier <jeremie.o@laposte.net>
+/* Copyright (C) 2007-2008 Jďż˝rďż˝mie Ollivier <jeremie.o@laposte.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -18,18 +18,19 @@
 include('../master.inc.php');
 
 // Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
 dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
 
 // Destroy session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_destroy();
-dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name);
+dol_syslog("End of session ".$sessionname);
 
 
 header ('Location: index.php');
diff --git a/htdocs/cashdesk/include/environnement.php b/htdocs/cashdesk/include/environnement.php
index 3fe3aad515a..8d243fbdab6 100644
--- a/htdocs/cashdesk/include/environnement.php
+++ b/htdocs/cashdesk/include/environnement.php
@@ -16,8 +16,8 @@
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  */
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php
index 223770c0e88..cd793ca2b45 100644
--- a/htdocs/cashdesk/index.php
+++ b/htdocs/cashdesk/index.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2007-2008 Jérémie Ollivier <jeremie.o@laposte.net>
+/* Copyright (C) 2007-2008 Jďż˝rďż˝mie Ollivier <jeremie.o@laposte.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -17,8 +17,8 @@
  */
 include('../master.inc.php');
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
@@ -40,7 +40,7 @@ if ( $_SESSION['uid'] > 0 ) {
 
 <meta name="robots" content="none" />
 
-<meta name="author" content="Jérémie Ollivier - jeremie.o@laposte.net" />
+<meta name="author" content="Jďż˝rďż˝mie Ollivier - jeremie.o@laposte.net" />
 <meta name="Generator" content="Kwrite, Gimp, Inkscape" />
 
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-15" />
diff --git a/htdocs/lib/antispamimage.php b/htdocs/lib/antispamimage.php
index e579ec70544..8636372a86b 100644
--- a/htdocs/lib/antispamimage.php
+++ b/htdocs/lib/antispamimage.php
@@ -35,8 +35,8 @@ require_once("../master.inc.php");
 require_once DOL_DOCUMENT_ROOT.'/../external-libs/Artichow/Artichow.cfg.php';
 require_once ARTICHOW."/AntiSpam.class.php";
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d97667a9dde..737d4ad8499 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -118,16 +118,18 @@ if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERV
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 
 // Security session
+// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some session handlers
 $sessionname="DOLSESSID_SECURITY";
 session_name($sessionname);
 session_start();
 if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand();
 
 // Set and init common variables
-// This include will set: $conf, $langs and $mysoc objects
+// This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects
 require_once("master.inc.php");
 
 //Fermeture de la session de securite, ses donnees sont sauvegardees
+// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some web servers.
 session_write_close();
 
 // Check if HTTPS
@@ -169,8 +171,8 @@ if (! defined('NOREQUIREHTML')) require_once(DOL_DOCUMENT_ROOT ."/html.form.clas
 if (! defined('NOREQUIREAJAX') && $conf->use_javascript_ajax) require_once(DOL_DOCUMENT_ROOT.'/lib/ajax.lib.php');	// Need 20ko memory
 //stopwithmem();
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
@@ -448,6 +450,11 @@ if (! isset($_SESSION["dol_login"]))
 	}
 
 	// Create entity cookie
+	// TODO Replace cookie usage to store entity in session to make code so much simpler with no
+	// need to crypt, no need to use token, etc...
+	// No data specific to session must be stored in cookies as this is the goal of session
+	// object and not cookie. Saving entity in session should  save a large amount of useless code,
+	// make code cleaner and solve pb of forged cookie.
 	if ($conf->multicompany->enabled && isset($_POST["entity"]))
 	{
 		include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php");
@@ -455,7 +462,7 @@ if (! isset($_SESSION["dol_login"]))
 		$entity = $_POST["entity"];
 		$entityCookieName = "DOLENTITYID_dolibarr";
 
-		if (!isset($HTTP_COOKIE_VARS[$entityCookieName]))
+		if (!isset($_COOKIE[$entityCookieName]))
 		{
 			// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage
 			$entityCookie = new DolCookie($_SESSION['cryptkey']);
@@ -467,18 +474,16 @@ if (! isset($_SESSION["dol_login"]))
 	if (! empty($conf->webcal->enabled) && $user->webcal_login != "")
 	{
 		$domain='';
-		// Extract domain from url (Useless because only cookie on same domain are authorized by browser
-		//if (eregi('^(https:[\\\/]+[^\\\/]+)',$conf->global->PHPWEBCALENDAR_URL,$reg)) $domain=$reg[1];
 
 		// Creation du cookie permettant de sauver le login
 		$cookiename='webcalendar_login';
-		if (! isset($HTTP_COOKIE_VARS[$cookiename]))
+		if (! isset($_COOKIE[$cookiename]))
 		{
 			setcookie($cookiename, $user->webcal_login, 0, "/", $domain, 0);
 		}
 		// Creation du cookie permettant de sauver la session
 		$cookiename='webcalendar_session';
-		if (! isset($HTTP_COOKIE_VARS[$cookiename]))
+		if (! isset($_COOKIE[$cookiename]))
 		{
 			setcookie($cookiename, 'TODO', 0, "/", $domain, 0);
 		}
@@ -488,7 +493,7 @@ if (! isset($_SESSION["dol_login"]))
 	if (! empty($conf->phenix->enabled) && $user->phenix_login != "" && $conf->phenix->cookie)
 	{
 		// Creation du cookie permettant la connexion automatique, valide jusqu'a la fermeture du browser
-		if (!isset($HTTP_COOKIE_VARS[$conf->phenix->cookie]))
+		if (!isset($_COOKIE[$conf->phenix->cookie]))
 		{
 			setcookie($conf->phenix->cookie, $user->phenix_login.":".$user->phenix_pass_crypted.":1", 0, "/", "", 0);
 		}
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 4ce6de3f687..9e46d3bccc4 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -205,6 +205,9 @@ if (! defined('NOREQUIREUSER'))
  */
 if (! defined('NOREQUIREDB'))
 {
+	// TODO MULTICOMP Must fix this. Using cookie object inside the master.inc.php
+	// should be forbidden. Must replace cookie usage with session to save
+	// a lot of code and avoid cookie forging.
 	$entityCookieName="DOLENTITYID_dolibarr";
 	// Retrieve the entity
 	if (isset($_POST["loginfunction"]) && isset($_POST["entity"]))	// Just after a login page
@@ -221,7 +224,7 @@ if (! defined('NOREQUIREDB'))
 	}
 	elseif (session_id() && isset($_SESSION["dol_entity"]))			// Inside an opened session
 	{
-		// TODO This is not used for the moment as session is started after for the moment
+		// TODO MULTICOMP This is not used for the moment as session is started after for the moment
 		$conf->entity = $_SESSION["dol_entity"];
 	}
 	elseif (isset($_ENV["dol_entity"]))								// If inside a CLI script
diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php
index f5bd30c8ddd..52ca5510caa 100644
--- a/htdocs/public/paybox/newpayment.php
+++ b/htdocs/public/paybox/newpayment.php
@@ -27,7 +27,9 @@
  */
 
 // Creation d'un jeton contre les failles CSRF
-$sessionname="DOLSESSID_PAYBOX";
+
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 session_name($sessionname);
 session_start();
 $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php
index a0757962b0e..49c4bd341d2 100644
--- a/htdocs/user/logout.php
+++ b/htdocs/user/logout.php
@@ -45,28 +45,31 @@ if ($conf->phenix->enabled && $conf->phenix->cookie)
 }
 
 // Destroy session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_destroy();
-dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name);
+dol_syslog("End of session ".$sessionname);
 
 // Destroy security session
+// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some PHP session handlers.
 $sessionname="DOLSESSID_SECURITY";
 session_name($sessionname);
 session_destroy();
-dol_syslog("End security session in DOLSESSID_".$dolibarr_main_db_name);
+dol_syslog("End of session ".$sessionname);
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
 dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
 
 session_unregister("dol_login");
+session_unregister("dol_entity");
 
 // Destroy entity cookie
+// TODO MULTICOMP Must fix this. Use session instead of cookie.
 if ($conf->multicompany->enabled)
 {
 	$entityCookieName = "DOLENTITYID_dolibarr";
diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php
index b3d6424b887..fd9e01e85dd 100644
--- a/htdocs/user/passwordforgotten.php
+++ b/htdocs/user/passwordforgotten.php
@@ -30,8 +30,8 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php");
 
-// Init session
-$sessionname="DOLSESSID_".$dolibarr_main_db_name;
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();

'.$langs->trans("Session").'	'.$langs->trans("Value").'
".$langs->trans("SessionName").'	'.session_name()."
".$langs->trans("SessionId").'	'.session_id()."
".$langs->trans("CurrentSessionTimeOut").'	'.ini_get('session.gc_maxlifetime').' '.$langs->trans("seconds"); diff --git a/htdocs/cashdesk/deconnexion.php b/htdocs/cashdesk/deconnexion.php index 0b94f35b2a0..f7b510516ac 100644 --- a/htdocs/cashdesk/deconnexion.php +++ b/htdocs/cashdesk/deconnexion.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2007-2008 Jďż˝rďż˝mie Ollivier * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -18,18 +18,19 @@ include('../master.inc.php'); // Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); // Destroy session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_destroy(); -dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name); +dol_syslog("End of session ".$sessionname); header ('Location: index.php'); diff --git a/htdocs/cashdesk/include/environnement.php b/htdocs/cashdesk/include/environnement.php index 3fe3aad515a..8d243fbdab6 100644 --- a/htdocs/cashdesk/include/environnement.php +++ b/htdocs/cashdesk/include/environnement.php @@ -16,8 +16,8 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. / -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php index 223770c0e88..cd793ca2b45 100644 --- a/htdocs/cashdesk/index.php +++ b/htdocs/cashdesk/index.php @@ -1,5 +1,5 @@ +/ Copyright (C) 2007-2008 Jďż˝rďż˝mie Ollivier * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -17,8 +17,8 @@ / include('../master.inc.php'); -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); @@ -40,7 +40,7 @@ if ( $_SESSION['uid'] > 0 ) { - + diff --git a/htdocs/lib/antispamimage.php b/htdocs/lib/antispamimage.php index e579ec70544..8636372a86b 100644 --- a/htdocs/lib/antispamimage.php +++ b/htdocs/lib/antispamimage.php @@ -35,8 +35,8 @@ require_once("../master.inc.php"); require_once DOL_DOCUMENT_ROOT.'/../external-libs/Artichow/Artichow.cfg.php'; require_once ARTICHOW."/AntiSpam.class.php"; -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index d97667a9dde..737d4ad8499 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -118,16 +118,18 @@ if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERV set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); // Security session +// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some session handlers $sessionname="DOLSESSID_SECURITY"; session_name($sessionname); session_start(); if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand(); // Set and init common variables -// This include will set: $conf, $langs and $mysoc objects +// This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects require_once("master.inc.php"); //Fermeture de la session de securite, ses donnees sont sauvegardees +// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some web servers. session_write_close(); // Check if HTTPS @@ -169,8 +171,8 @@ if (! defined('NOREQUIREHTML')) require_once(DOL_DOCUMENT_ROOT ."/html.form.clas if (! defined('NOREQUIREAJAX') && $conf->use_javascript_ajax) require_once(DOL_DOCUMENT_ROOT.'/lib/ajax.lib.php'); // Need 20ko memory //stopwithmem(); -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); @@ -448,6 +450,11 @@ if (! isset($_SESSION["dol_login"])) } // Create entity cookie + // TODO Replace cookie usage to store entity in session to make code so much simpler with no + // need to crypt, no need to use token, etc... + // No data specific to session must be stored in cookies as this is the goal of session + // object and not cookie. Saving entity in session should save a large amount of useless code, + // make code cleaner and solve pb of forged cookie. if ($conf->multicompany->enabled && isset($_POST["entity"])) { include_once(DOL_DOCUMENT_ROOT . "/core/cookie.class.php"); @@ -455,7 +462,7 @@ if (! isset($_SESSION["dol_login"])) $entity = $_POST["entity"]; $entityCookieName = "DOLENTITYID_dolibarr"; - if (!isset($HTTP_COOKIE_VARS[$entityCookieName])) + if (!isset($_COOKIE[$entityCookieName])) { // Utilisation de $_SESSION['cryptkey'] comme cle de cryptage $entityCookie = new DolCookie($_SESSION['cryptkey']); @@ -467,18 +474,16 @@ if (! isset($_SESSION["dol_login"])) if (! empty($conf->webcal->enabled) && $user->webcal_login != "") { $domain=''; - // Extract domain from url (Useless because only cookie on same domain are authorized by browser - //if (eregi('^(https:[\\\/]+[^\\\/]+)',$conf->global->PHPWEBCALENDAR_URL,$reg)) $domain=$reg[1]; // Creation du cookie permettant de sauver le login $cookiename='webcalendar_login'; - if (! isset($HTTP_COOKIE_VARS[$cookiename])) + if (! isset($_COOKIE[$cookiename])) { setcookie($cookiename, $user->webcal_login, 0, "/", $domain, 0); } // Creation du cookie permettant de sauver la session $cookiename='webcalendar_session'; - if (! isset($HTTP_COOKIE_VARS[$cookiename])) + if (! isset($_COOKIE[$cookiename])) { setcookie($cookiename, 'TODO', 0, "/", $domain, 0); } @@ -488,7 +493,7 @@ if (! isset($_SESSION["dol_login"])) if (! empty($conf->phenix->enabled) && $user->phenix_login != "" && $conf->phenix->cookie) { // Creation du cookie permettant la connexion automatique, valide jusqu'a la fermeture du browser - if (!isset($HTTP_COOKIE_VARS[$conf->phenix->cookie])) + if (!isset($_COOKIE[$conf->phenix->cookie])) { setcookie($conf->phenix->cookie, $user->phenix_login.":".$user->phenix_pass_crypted.":1", 0, "/", "", 0); } diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index 4ce6de3f687..9e46d3bccc4 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -205,6 +205,9 @@ if (! defined('NOREQUIREUSER')) / if (! defined('NOREQUIREDB')) { + // TODO MULTICOMP Must fix this. Using cookie object inside the master.inc.php + // should be forbidden. Must replace cookie usage with session to save + // a lot of code and avoid cookie forging. $entityCookieName="DOLENTITYID_dolibarr"; // Retrieve the entity if (isset($_POST["loginfunction"]) && isset($_POST["entity"])) // Just after a login page @@ -221,7 +224,7 @@ if (! defined('NOREQUIREDB')) } elseif (session_id() && isset($_SESSION["dol_entity"])) // Inside an opened session { - // TODO This is not used for the moment as session is started after for the moment + // TODO MULTICOMP This is not used for the moment as session is started after for the moment $conf->entity = $_SESSION["dol_entity"]; } elseif (isset($_ENV["dol_entity"])) // If inside a CLI script diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php index f5bd30c8ddd..52ca5510caa 100644 --- a/htdocs/public/paybox/newpayment.php +++ b/htdocs/public/paybox/newpayment.php @@ -27,7 +27,9 @@ */ // Creation d'un jeton contre les failles CSRF -$sessionname="DOLSESSID_PAYBOX"; + +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); session_name($sessionname); session_start(); $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php index a0757962b0e..49c4bd341d2 100644 --- a/htdocs/user/logout.php +++ b/htdocs/user/logout.php @@ -45,28 +45,31 @@ if ($conf->phenix->enabled && $conf->phenix->cookie) } // Destroy session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_destroy(); -dol_syslog("End session in DOLSESSID_".$dolibarr_main_db_name); +dol_syslog("End of session ".$sessionname); // Destroy security session +// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some PHP session handlers. $sessionname="DOLSESSID_SECURITY"; session_name($sessionname); session_destroy(); -dol_syslog("End security session in DOLSESSID_".$dolibarr_main_db_name); +dol_syslog("End of session ".$sessionname); -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start(); dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); session_unregister("dol_login"); +session_unregister("dol_entity"); // Destroy entity cookie +// TODO MULTICOMP Must fix this. Use session instead of cookie. if ($conf->multicompany->enabled) { $entityCookieName = "DOLENTITYID_dolibarr"; diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index b3d6424b887..fd9e01e85dd 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -30,8 +30,8 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php"); require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php"); require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php"); -// Init session -$sessionname="DOLSESSID_".$dolibarr_main_db_name; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]); if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); session_name($sessionname); session_start();