From e4090f63b11a1a72409c1f4587976fae5207c6c1 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Thu, 21 May 2009 21:37:45 +0000
Subject: [PATCH] Session name DOLSESSID_databasename is replace with
 DOLSESSID_dolibarrwebinstance. This remove a key read in conf.class.php used
 to name session because, to make code simpler, we will need to create session
 before the conf is loaded. This is also most secure because it is possible to
 use 2 dolibarr instances even if database names are same on two different
 mysql server. Add also comments on code to remember to simplify things.

---
 htdocs/cashdesk/deconnexion.php           | 4 ++--
 htdocs/cashdesk/include/environnement.php | 2 +-
 htdocs/cashdesk/index.php                 | 2 +-
 htdocs/lib/antispamimage.php              | 2 +-
 htdocs/main.inc.php                       | 2 +-
 htdocs/public/paybox/newpayment.php       | 2 +-
 htdocs/user/logout.php                    | 2 +-
 htdocs/user/passwordforgotten.php         | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/htdocs/cashdesk/deconnexion.php b/htdocs/cashdesk/deconnexion.php
index f7b510516ac..86dc02e0d13 100644
--- a/htdocs/cashdesk/deconnexion.php
+++ b/htdocs/cashdesk/deconnexion.php
@@ -19,14 +19,14 @@ include('../master.inc.php');
 
 // Init session
 // Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
 dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
 
 // Destroy session
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_destroy();
diff --git a/htdocs/cashdesk/include/environnement.php b/htdocs/cashdesk/include/environnement.php
index 8d243fbdab6..d13d976d3d6 100644
--- a/htdocs/cashdesk/include/environnement.php
+++ b/htdocs/cashdesk/include/environnement.php
@@ -17,7 +17,7 @@
  */
 
 // Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php
index cd793ca2b45..2221adec2ec 100644
--- a/htdocs/cashdesk/index.php
+++ b/htdocs/cashdesk/index.php
@@ -18,7 +18,7 @@
 include('../master.inc.php');
 
 // Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
diff --git a/htdocs/lib/antispamimage.php b/htdocs/lib/antispamimage.php
index 8636372a86b..be2764ab541 100644
--- a/htdocs/lib/antispamimage.php
+++ b/htdocs/lib/antispamimage.php
@@ -36,7 +36,7 @@ require_once DOL_DOCUMENT_ROOT.'/../external-libs/Artichow/Artichow.cfg.php';
 require_once ARTICHOW."/AntiSpam.class.php";
 
 // Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 4ee1f32a311..27ecaf50c26 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -174,7 +174,7 @@ if (! defined('NOREQUIREAJAX') && $conf->use_javascript_ajax) require_once(DOL_D
 //stopwithmem();
 
 // Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();
diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php
index 52ca5510caa..b12813cedd6 100644
--- a/htdocs/public/paybox/newpayment.php
+++ b/htdocs/public/paybox/newpayment.php
@@ -29,7 +29,7 @@
 // Creation d'un jeton contre les failles CSRF
 
 // Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 session_name($sessionname);
 session_start();
 $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php
index d2ae3442405..dafbb1e0522 100644
--- a/htdocs/user/logout.php
+++ b/htdocs/user/logout.php
@@ -48,7 +48,7 @@ session_unregister("dol_login");
 session_unregister("dol_entity");
 
 // Destroy session
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_destroy();
diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php
index fd9e01e85dd..a9bde3bfcaf 100644
--- a/htdocs/user/passwordforgotten.php
+++ b/htdocs/user/passwordforgotten.php
@@ -31,7 +31,7 @@ require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php");
 
 // Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.eregi_replace('[^a-z0-9]','',$_SERVER["SERVER_NAME"].'_'.$_SERVER["DOCUMENT_ROOT"]);
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
 if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
 session_name($sessionname);
 session_start();