Qual: Now creation of session is done before the loading of conf. This make code much easier to understand.

2025-02-20 13:46:52 +01:00 · 2009-05-21 22:28:05 +00:00 · 2009-05-21 22:28:05 +00:00 · fb0e668fc0
commit fb0e668fc0
parent 63b5f67069
11 changed files with 65 additions and 72 deletions
--- a/htdocs/cashdesk/deconnexion.php
+++ b/htdocs/cashdesk/deconnexion.php
@ -15,19 +15,20 @@
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */
-include('../master.inc.php');

-// Init session
 // Init session. Name of session is specific to Dolibarr instance.
 $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout);
 session_name($sessionname);
 session_start();
-dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
+
+include('../master.inc.php');

 // Destroy session
 $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout);
 session_name($sessionname);
 session_destroy();
 dol_syslog("End of session ".$sessionname);
--- a/htdocs/cashdesk/include/environnement.php
+++ b/htdocs/cashdesk/include/environnement.php
@ -18,7 +18,8 @@

 // Init session. Name of session is specific to Dolibarr instance.
 $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout);
 session_name($sessionname);
 session_start();
 dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
--- a/htdocs/cashdesk/index.php
+++ b/htdocs/cashdesk/index.php
@ -15,19 +15,20 @@
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */
-include('../master.inc.php');

 // Init session. Name of session is specific to Dolibarr instance.
 $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout);
 session_name($sessionname);
 session_start();
-dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));

-if ( $_SESSION['uid'] > 0 ) {
+include('../master.inc.php');

+if ( $_SESSION['uid'] > 0 )
+{
 	header ('Location: affIndex.php');
-
+	exit;
 }

 ?>
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@ -9,6 +9,7 @@ VersionDevelopment=Development
 VersionUnknown=Unknown
 VersionRecommanded=Recommended
 SessionId=Session ID
+SessionSavePath=Storage session localization
 HTMLCharset=Charset for generated HTML pages
 DBStoringCharset=Database charset to store data
 DBSortingCharset=Database charset to sort data
--- a/htdocs/langs/fr_FR/admin.lang
+++ b/htdocs/langs/fr_FR/admin.lang
@ -9,6 +9,7 @@ VersionDevelopment = Développement
 VersionUnknown = Inconnue
 VersionRecommanded = Recommandé
 SessionId = ID Session
+SessionSavePath=Localisation sauvegarde sessions
 HTMLCharset = Charset des pages HTML générées
 DBStoringCharset = Charset base pour stockage données
 DBSortingCharset = Charset base pour tri données
--- a/htdocs/lib/antispamimage.php
+++ b/htdocs/lib/antispamimage.php
@ -31,18 +31,17 @@ if (! defined('NOREQUIRESOC'))  define('NOREQUIRESOC','1');
 // This is to make Dolibarr working with Plesk
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');

+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout);
+session_name($sessionname);
+session_start();
+
 require_once("../master.inc.php");
 require_once DOL_DOCUMENT_ROOT.'/../external-libs/Artichow/Artichow.cfg.php';
 require_once ARTICHOW."/AntiSpam.class.php";

-// Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
-session_name($sessionname);
-session_start();
-dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
-
-
 // On cree l'objet anti-spam
 $object = new AntiSpam();

--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@ -119,21 +119,20 @@ if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERV
 // This is to make Dolibarr working with Plesk
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');

-// Security session
-// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some session handlers
-$sessionname="DOLSESSID_SECURITY";
+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_SERVER["DOLSESSTIMEOUT"])) ini_set('session.gc_maxlifetime',$_SERVER["DOLSESSTIMEOUT"]);
+if (! empty($_COOKIE["DOLSESSTIMEOUT"])) ini_set('session.gc_maxlifetime',$_REQUEST["DOLSESSTIMEOUT"]);
 session_name($sessionname);
 session_start();
+
+// Security. TODO Check if this is usefull.
 if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand();

 // Set and init common variables
 // This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects
 require_once("master.inc.php");

-//Fermeture de la session de securite, ses donnees sont sauvegardees
-// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some web servers.
-session_write_close();
-
 // Check if HTTPS
 if ($conf->file->main_force_https)
 {
@ -173,20 +172,12 @@ if (! defined('NOREQUIREHTML')) require_once(DOL_DOCUMENT_ROOT ."/html.form.clas
 if (! defined('NOREQUIREAJAX') && $conf->use_javascript_ajax) require_once(DOL_DOCUMENT_ROOT.'/lib/ajax.lib.php');	// Need 20ko memory
 //stopwithmem();

-// Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
-session_name($sessionname);
-session_start();
-dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".(isset($_SESSION["dol_login"])?$_SESSION["dol_login"]:'').", ".ini_get("session.gc_maxlifetime"));
-
 // Creation d'un jeton contre les failles CSRF
 $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
 // roulement des jetons car cree a chaque appel
 if (isset($_SESSION['token_level_1'])) $_SESSION['token_level_2'] = $_SESSION['token_level_1'];
 if (isset($_SESSION['newtoken'])) $_SESSION['token_level_1'] = $_SESSION['newtoken'];
 $_SESSION['newtoken'] = $token;
-
 // Verification de la presence et de la validite du jeton
 if (isset($_POST['token']) && isset($_SESSION['token_level_1']) && isset($_SESSION['token_level_2']))
 {
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@ -205,32 +205,35 @@ if (! defined('NOREQUIREUSER'))
 */
 if (! defined('NOREQUIREDB'))
 {
-	// TODO MULTICOMP Must fix this. Using cookie object inside the master.inc.php
-	// should be forbidden. Must replace cookie usage with session to save
-	// a lot of code and avoid cookie forging.
-	$entityCookieName="DOLENTITYID_dolibarr";
-	// Retrieve the entity
-	if (isset($_POST["loginfunction"]) && isset($_POST["entity"]))	// Just after a login page
+	if (session_id() && isset($_SESSION["dol_entity"]))				// Entity inside an opened session
 	{
-		$conf->entity = $_POST["entity"];
-	}
-	else if (isset($_COOKIE[$entityCookieName]))					// Inside a browser navigation
-	{
-		include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php");
-
-		// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage
-		$entityCookie = new DolCookie($_SESSION['cryptkey']);
-		$conf->entity = $entityCookie->_getCookie($entityCookieName);
-	}
-	elseif (session_id() && isset($_SESSION["dol_entity"]))			// Inside an opened session
-	{
-		// TODO MULTICOMP This is not used for the moment as session is started after for the moment
 		$conf->entity = $_SESSION["dol_entity"];
 	}
-	elseif (isset($_ENV["dol_entity"]))								// If inside a CLI script
+	elseif (isset($_ENV["dol_entity"]))								// Entity inside a CLI script
 	{
 		$conf->entity = $_ENV["dol_entity"];
 	}
+	else															// Entity from login page
+	{
+		if (isset($_POST["loginfunction"]) && isset($_POST["entity"]))	// Just after a login page
+		{
+			$conf->entity = $_POST["entity"];
+		}
+		else
+		{
+			// TODO MULTICOMP This can be removed now.
+			// Cookie usage replaced with session to save a lot of code and avoid cookie forging.
+			$entityCookieName="DOLENTITYID_dolibarr";
+			if (isset($_COOKIE[$entityCookieName]))					// Should not be used anymore
+			{
+				include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php");
+
+				// Utilisation de $_SESSION['cryptkey'] comme cle de cryptage
+				$entityCookie = new DolCookie($_SESSION['cryptkey']);
+				$conf->entity = $entityCookie->_getCookie($entityCookieName);
+			}
+		}
+	}
 	$conf->setValues($db);
 }

--- a/htdocs/public/paybox/newpayment.php
+++ b/htdocs/public/paybox/newpayment.php
@ -26,12 +26,14 @@
 *		\version    $Id$
 */

-// Creation d'un jeton contre les failles CSRF
-
 // Init session. Name of session is specific to Dolibarr instance.
 $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout);
 session_name($sessionname);
 session_start();
+
+// Creation d'un jeton contre les failles CSRF
 $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
 // roulement des jetons car cree a chaque appel
 if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
--- a/htdocs/user/logout.php
+++ b/htdocs/user/logout.php
@ -49,19 +49,12 @@ session_unregister("dol_entity");

 // Destroy session
 $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout);
 session_name($sessionname);
 session_destroy();
 dol_syslog("End of session ".$sessionname);

-// Destroy security session
-// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some PHP session handlers.
-$sessionname="DOLSESSID_SECURITY";
-session_name($sessionname);
-session_destroy();
-dol_syslog("End of session ".$sessionname);
-
-
 // Destroy entity cookie
 // TODO MULTICOMP Must fix this. Use session instead of cookie.
 if ($conf->multicompany->enabled)
--- a/htdocs/user/passwordforgotten.php
+++ b/htdocs/user/passwordforgotten.php
@ -25,18 +25,18 @@
 // This is to make Dolibarr working with Plesk
 set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');

+// Init session. Name of session is specific to Dolibarr instance.
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout);
+session_name($sessionname);
+session_start();
+
 require("../master.inc.php");
 require_once(DOL_DOCUMENT_ROOT."/contact.class.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php");

-// Init session. Name of session is specific to Dolibarr instance.
-$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
-if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT);
-session_name($sessionname);
-session_start();
-dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime"));
-
 $user->getrights('user');

 $langs->load("main");