From cda17da8b13c7a1f809fcb8304c3bd40cbdce551 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 12 Jun 2016 21:41:16 +0200
Subject: [PATCH] Fix security: A password must NEVER be stored as cookie.
 GETPOST must analyse POST only.

---
 htdocs/main.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index c853760b352..4cbe98d8ccd 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -438,7 +438,7 @@ if (! defined('NOLOGIN'))
         }
 
         $usertotest		= (! empty($_COOKIE['login_dolibarr']) ? $_COOKIE['login_dolibarr'] : GETPOST("username","alpha",2));
-        $passwordtotest	= (! empty($_COOKIE['password_dolibarr']) ? $_COOKIE['password_dolibarr'] : GETPOST('password'));
+        $passwordtotest	= GETPOST('password','',2);
         $entitytotest	= (GETPOST('entity','int') ? GETPOST('entity','int') : (!empty($conf->entity) ? $conf->entity : 1));
 
         // Validation of login/pass/entity