diff --git a/htdocs/cashdesk/deconnexion.php b/htdocs/cashdesk/deconnexion.php index 86dc02e0d13..911bb886238 100644 --- a/htdocs/cashdesk/deconnexion.php +++ b/htdocs/cashdesk/deconnexion.php @@ -15,19 +15,20 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -include('../master.inc.php'); -// Init session // Init session. Name of session is specific to Dolibarr instance. $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); session_name($sessionname); session_start(); -dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); + +include('../master.inc.php'); // Destroy session $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); session_name($sessionname); session_destroy(); dol_syslog("End of session ".$sessionname); diff --git a/htdocs/cashdesk/include/environnement.php b/htdocs/cashdesk/include/environnement.php index d13d976d3d6..62d37b7bde0 100644 --- a/htdocs/cashdesk/include/environnement.php +++ b/htdocs/cashdesk/include/environnement.php @@ -18,7 +18,8 @@ // Init session. Name of session is specific to Dolibarr instance. $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); session_name($sessionname); session_start(); dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php index 2221adec2ec..481e74c9702 100644 --- a/htdocs/cashdesk/index.php +++ b/htdocs/cashdesk/index.php @@ -15,19 +15,20 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -include('../master.inc.php'); // Init session. Name of session is specific to Dolibarr instance. $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); session_name($sessionname); session_start(); -dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); -if ( $_SESSION['uid'] > 0 ) { +include('../master.inc.php'); +if ( $_SESSION['uid'] > 0 ) +{ header ('Location: affIndex.php'); - + exit; } ?> diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index 76780442940..4bd52e0414e 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -9,6 +9,7 @@ VersionDevelopment=Development VersionUnknown=Unknown VersionRecommanded=Recommended SessionId=Session ID +SessionSavePath=Storage session localization HTMLCharset=Charset for generated HTML pages DBStoringCharset=Database charset to store data DBSortingCharset=Database charset to sort data diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang index b6aae963f9f..6a66e7c5a03 100644 --- a/htdocs/langs/fr_FR/admin.lang +++ b/htdocs/langs/fr_FR/admin.lang @@ -9,6 +9,7 @@ VersionDevelopment = Développement VersionUnknown = Inconnue VersionRecommanded = Recommandé SessionId = ID Session +SessionSavePath=Localisation sauvegarde sessions HTMLCharset = Charset des pages HTML générées DBStoringCharset = Charset base pour stockage données DBSortingCharset = Charset base pour tri données diff --git a/htdocs/lib/antispamimage.php b/htdocs/lib/antispamimage.php index be2764ab541..b145e47491d 100644 --- a/htdocs/lib/antispamimage.php +++ b/htdocs/lib/antispamimage.php @@ -31,18 +31,17 @@ if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // This is to make Dolibarr working with Plesk set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); +session_name($sessionname); +session_start(); + require_once("../master.inc.php"); require_once DOL_DOCUMENT_ROOT.'/../external-libs/Artichow/Artichow.cfg.php'; require_once ARTICHOW."/AntiSpam.class.php"; -// Init session. Name of session is specific to Dolibarr instance. -$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); -session_name($sessionname); -session_start(); -dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); - - // On cree l'objet anti-spam $object = new AntiSpam(); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 27ecaf50c26..cdaf9703727 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -119,21 +119,20 @@ if (! defined('NOCSRFCHECK') && ! empty($_SERVER['HTTP_HOST']) && ! empty($_SERV // This is to make Dolibarr working with Plesk set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); -// Security session -// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some session handlers -$sessionname="DOLSESSID_SECURITY"; +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_SERVER["DOLSESSTIMEOUT"])) ini_set('session.gc_maxlifetime',$_SERVER["DOLSESSTIMEOUT"]); +if (! empty($_COOKIE["DOLSESSTIMEOUT"])) ini_set('session.gc_maxlifetime',$_REQUEST["DOLSESSTIMEOUT"]); session_name($sessionname); session_start(); + +// Security. TODO Check if this is usefull. if (!isset($_SESSION['cryptkey'])) $_SESSION['cryptkey'] = mt_rand(); // Set and init common variables // This include will set: config file variable $dolibarr_xxx, $conf, $langs and $mysoc objects require_once("master.inc.php"); -//Fermeture de la session de securite, ses donnees sont sauvegardees -// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some web servers. -session_write_close(); - // Check if HTTPS if ($conf->file->main_force_https) { @@ -173,20 +172,12 @@ if (! defined('NOREQUIREHTML')) require_once(DOL_DOCUMENT_ROOT ."/html.form.clas if (! defined('NOREQUIREAJAX') && $conf->use_javascript_ajax) require_once(DOL_DOCUMENT_ROOT.'/lib/ajax.lib.php'); // Need 20ko memory //stopwithmem(); -// Init session. Name of session is specific to Dolibarr instance. -$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); -session_name($sessionname); -session_start(); -dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".(isset($_SESSION["dol_login"])?$_SESSION["dol_login"]:'').", ".ini_get("session.gc_maxlifetime")); - // Creation d'un jeton contre les failles CSRF $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire // roulement des jetons car cree a chaque appel if (isset($_SESSION['token_level_1'])) $_SESSION['token_level_2'] = $_SESSION['token_level_1']; if (isset($_SESSION['newtoken'])) $_SESSION['token_level_1'] = $_SESSION['newtoken']; $_SESSION['newtoken'] = $token; - // Verification de la presence et de la validite du jeton if (isset($_POST['token']) && isset($_SESSION['token_level_1']) && isset($_SESSION['token_level_2'])) { diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index 9e46d3bccc4..001da3b669d 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -205,32 +205,35 @@ if (! defined('NOREQUIREUSER')) */ if (! defined('NOREQUIREDB')) { - // TODO MULTICOMP Must fix this. Using cookie object inside the master.inc.php - // should be forbidden. Must replace cookie usage with session to save - // a lot of code and avoid cookie forging. - $entityCookieName="DOLENTITYID_dolibarr"; - // Retrieve the entity - if (isset($_POST["loginfunction"]) && isset($_POST["entity"])) // Just after a login page + if (session_id() && isset($_SESSION["dol_entity"])) // Entity inside an opened session { - $conf->entity = $_POST["entity"]; - } - else if (isset($_COOKIE[$entityCookieName])) // Inside a browser navigation - { - include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php"); - - // Utilisation de $_SESSION['cryptkey'] comme cle de cryptage - $entityCookie = new DolCookie($_SESSION['cryptkey']); - $conf->entity = $entityCookie->_getCookie($entityCookieName); - } - elseif (session_id() && isset($_SESSION["dol_entity"])) // Inside an opened session - { - // TODO MULTICOMP This is not used for the moment as session is started after for the moment $conf->entity = $_SESSION["dol_entity"]; } - elseif (isset($_ENV["dol_entity"])) // If inside a CLI script + elseif (isset($_ENV["dol_entity"])) // Entity inside a CLI script { $conf->entity = $_ENV["dol_entity"]; } + else // Entity from login page + { + if (isset($_POST["loginfunction"]) && isset($_POST["entity"])) // Just after a login page + { + $conf->entity = $_POST["entity"]; + } + else + { + // TODO MULTICOMP This can be removed now. + // Cookie usage replaced with session to save a lot of code and avoid cookie forging. + $entityCookieName="DOLENTITYID_dolibarr"; + if (isset($_COOKIE[$entityCookieName])) // Should not be used anymore + { + include_once(DOL_DOCUMENT_ROOT."/core/cookie.class.php"); + + // Utilisation de $_SESSION['cryptkey'] comme cle de cryptage + $entityCookie = new DolCookie($_SESSION['cryptkey']); + $conf->entity = $entityCookie->_getCookie($entityCookieName); + } + } + } $conf->setValues($db); } diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php index b12813cedd6..e48ceefcf6c 100644 --- a/htdocs/public/paybox/newpayment.php +++ b/htdocs/public/paybox/newpayment.php @@ -26,12 +26,14 @@ * \version $Id$ */ -// Creation d'un jeton contre les failles CSRF - // Init session. Name of session is specific to Dolibarr instance. $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); session_name($sessionname); session_start(); + +// Creation d'un jeton contre les failles CSRF $token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire // roulement des jetons car cree a chaque appel if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; diff --git a/htdocs/user/logout.php b/htdocs/user/logout.php index dafbb1e0522..68cabda53f8 100644 --- a/htdocs/user/logout.php +++ b/htdocs/user/logout.php @@ -49,19 +49,12 @@ session_unregister("dol_entity"); // Destroy session $sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); session_name($sessionname); session_destroy(); dol_syslog("End of session ".$sessionname); -// Destroy security session -// TODO MULTICOMP Must fix this. Using 2 session in same page will create problems on some PHP session handlers. -$sessionname="DOLSESSID_SECURITY"; -session_name($sessionname); -session_destroy(); -dol_syslog("End of session ".$sessionname); - - // Destroy entity cookie // TODO MULTICOMP Must fix this. Use session instead of cookie. if ($conf->multicompany->enabled) diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index 4bc3444824f..76a04488c5e 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -25,18 +25,18 @@ // This is to make Dolibarr working with Plesk set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs'); +// Init session. Name of session is specific to Dolibarr instance. +$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); +if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$sessiontimeout); +session_name($sessionname); +session_start(); + require("../master.inc.php"); require_once(DOL_DOCUMENT_ROOT."/contact.class.php"); require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php"); require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php"); -// Init session. Name of session is specific to Dolibarr instance. -$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]); -if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) ini_set('session.gc_maxlifetime',$conf->global->MAIN_SESSION_TIMEOUT); -session_name($sessionname); -session_start(); -dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _SESSION['dol_login']=".$_SESSION["dol_login"].", ".ini_get("session.gc_maxlifetime")); - $user->getrights('user'); $langs->load("main");