From c5332b470c2a335ca692c542b5a7405407c1f652 Mon Sep 17 00:00:00 2001
From: jorix <xavier.mamano@gmail.com>
Date: Tue, 20 Nov 2018 18:51:09 +0100
Subject: [PATCH 1/5] Use $_SESSION instead of encrypted cookie.

The sensitive information is only saved in $ _SESSION and in this way it is avoided in the client cotens sensitive data even though it was encrypted.

On the other hand when you stop using mcrypt Aixada no longer fails for any page using PHP7.1 or higher.

This is a step to allow PHP7 to be used.
---
 activate_roles.php                      |   9 +-
 js/aixadautilities/jquery.aixadaMenu.js |   1 -
 local_config/config.php.sample          |  20 --
 login.php                               |  24 +--
 manage_data.php                         |  19 +-
 manage_ufmember.php                     |   7 +-
 php/ctrl/Account.php                    |   9 -
 php/ctrl/ActivateProducts.php           |  12 --
 php/ctrl/ActivateRoles.php              |   6 -
 php/ctrl/Admin.php                      |   4 -
 php/ctrl/Cookie.php                     |  15 +-
 php/ctrl/Dates.php                      |   7 -
 php/ctrl/ImportExport.php               |   6 +-
 php/ctrl/Incidents.php                  |   6 -
 php/ctrl/Login.php                      |   7 -
 php/ctrl/Orders.php                     |   5 -
 php/ctrl/Providers.php                  |   7 -
 php/ctrl/Report.php                     |   5 -
 php/ctrl/Shop.php                       |   4 -
 php/ctrl/SmallQ.php                     |   3 -
 php/ctrl/TableManager.php               |  17 +-
 php/ctrl/UserAndUf.php                  |   6 -
 php/ctrl/Validate.php                   |   6 -
 php/inc/cookie.inc.php                  | 245 ++++--------------------
 php/inc/database.php                    |   9 -
 php/inc/header.inc.php                  |   8 +-
 php/inc/menu.inc.php                    |  90 +++++----
 php/lib/report_manager.php              |   4 -
 php/lib/report_orders.php               |   3 -
 php/utilities/general.php               |  37 +++-
 30 files changed, 161 insertions(+), 440 deletions(-)

diff --git a/activate_roles.php b/activate_roles.php
index 16efc5fb..3079d029 100644
--- a/activate_roles.php
+++ b/activate_roles.php
@@ -14,10 +14,13 @@
     <?php echo aixada_js_src(); ?>
    		
  	<script type="text/javascript" src="js/jqueryui/i18n/jquery.ui.datepicker-<?=$language;?>.js" ></script>
-     
    
-   
-    <?php $the_role = $_SESSION['userdata']['current_role']; ?>
+    <?php 
+        if (!isset($_SESSION)) {
+            session_start();
+        }
+        $the_role = $_SESSION['userdata']['current_role'];
+    ?>
 	<script type="text/javascript">
 	$(function(){
 		$.ajaxSetup({ cache: false });
diff --git a/js/aixadautilities/jquery.aixadaMenu.js b/js/aixadautilities/jquery.aixadaMenu.js
index 650392df..6e7aac37 100644
--- a/js/aixadautilities/jquery.aixadaMenu.js
+++ b/js/aixadautilities/jquery.aixadaMenu.js
@@ -57,7 +57,6 @@ $(function(){
             url: "php/ctrl/Cookie.php?change_role_to=" + new_role + "&originating_uri=" + rq_uri,
             dataType: "xml",
             success:  function(xml){
-		document.cookie = 'USERAUTH=' + escape($(xml).find('cookie').text());
 		window.location.href = $(xml).find('navigation').text(); 
    			}   		
    		});
diff --git a/local_config/config.php.sample b/local_config/config.php.sample
index e467a871..bae7ea9d 100644
--- a/local_config/config.php.sample
+++ b/local_config/config.php.sample
@@ -357,26 +357,6 @@ class configuration_vars {
    * users if available. 
    */
   public $incidents_email_list = ""; 
-  
-  
-  
-  
-  
-  /**
-   * CODE OPTIMIZATIONS
-   */
-
-  /**
-   * @var bool In case the database is parsed, this variable controls if the table_manager objects are stored in $_SESSION or not. Setting this variable to true cuts down considerably on execution time.
-   */
-  public $use_session_cache = true;
-
-  /**
-   * @var bool If true, this variable says to not parse the database every time a page is loaded, but to read the pre-compiled responses from the file canned_responses.php.  Setting this variable to true cuts down considerably on execution time.
-   */
-  public $use_canned_responses = true;
-
-
 
   /**
    * 
diff --git a/login.php b/login.php
index 36827781..f33f8d6e 100644
--- a/login.php
+++ b/login.php
@@ -3,13 +3,11 @@
 
 require_once(__ROOT__ . 'php'.DS.'inc'.DS.'authentication.inc.php');
 
-// This controls if the table_manager objects are stored in $_SESSION or not.
-// It looks like doing it cuts down considerably on execution time.
-$use_session_cache = configuration_vars::get_instance()->use_session_cache;
-
 if (!isset($_SESSION)) {
     session_start();
- }
+    $_SESSION['aixada'] = true;
+    session_commit(); // Force write session to create it and able to open $_SESSION faster.
+}
 
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -55,21 +53,7 @@
 					type: "POST",
                     url: "php/ctrl/Login.php?oper=login",
 					data:dataSerial,		
-					success: function(returned_cookie){
-					    /*
-					      FIXME
-					      there are two very basic security issues here:
-					      1. the dataSerial is posted unencrypted, and so is visible to everyone!
-					      Even encrypting the username/password is no solution, because anyone who intercepts the communication
-					      can just send the encrypted text without knowing what it decrypts to, but can log in anyways.
-					      The solution could be to implement an SSL protocol.
-					      2. The cookie never expires.
-					      This has two parts: here in document.cookie we could set an expiry date;
-					      on the other hand, if the cookie is seen to have expired in cookie.inc.php, 
-					      it is just renewed without any consequence.
-					     */
-					    document.cookie = 'USERAUTH=' + escape(returned_cookie);
-					    
+					success: function() {
 					    top.location.href = 'index.php';
 					    
 					},
diff --git a/manage_data.php b/manage_data.php
index 66db0412..75b1d527 100644
--- a/manage_data.php
+++ b/manage_data.php
@@ -23,16 +23,21 @@ function may_edit_table($data_table) {
         $table_aux = strstr($data_table, '_');
         $prefix = strstr($data_table, '_', true);
         if ($prefix !== 'aixada') {
-            $table_aux = '_'.$prefix.$table_aux;
+            $table_aux = '_' . $prefix.$table_aux;
         }
-        $property = 'may_edit'.$table_aux;
-        if (in_array($property, 
-                     configuration_vars::get_instance()->rights_of[$_SESSION['userdata']['current_role']])) {
-            return true;
-        } else {
-            return false;
+        if (!isset($_SESSION)) {
+            session_start();
+        }
+        if (isset($_SESSION['userdata'])) {
+            $rights_of = get_config('rights_of');
+            $current_role = $_SESSION['userdata']['current_role'];
+            if (in_array('may_edit' . $table_aux, $rights_of[$current_role])) {
+                return true;
+            }
         }
+        return false;
     }
+
     $is_edit = 'false';
     if ($data_manager){
         if (may_edit_table($table_name)) {
diff --git a/manage_ufmember.php b/manage_ufmember.php
index 53ffbd83..2091c6b9 100644
--- a/manage_ufmember.php
+++ b/manage_ufmember.php
@@ -42,7 +42,12 @@
 
 
 		//show/hide reset pwd. 
-		var isAdmin = "<?=$_SESSION['userdata']['current_role'];?>";
+		var isAdmin = "<?php
+            if (!isset($_SESSION)) {
+                session_start();
+            }
+            echo $_SESSION['userdata']['current_role'];
+        ?>";
 		isAdmin = (isAdmin == "Hacker Commission")? true:false; 
 
 			
diff --git a/php/ctrl/Account.php b/php/ctrl/Account.php
index 76e509eb..eb8badac 100644
--- a/php/ctrl/Account.php
+++ b/php/ctrl/Account.php
@@ -8,15 +8,6 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . "php/lib/account_operations.php");
 
-
-$use_session_cache = true; 
-
-
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-
 try{ 
    	$ao = new account_operations();
  	switch ($_REQUEST['oper']) {
diff --git a/php/ctrl/ActivateProducts.php b/php/ctrl/ActivateProducts.php
index ef3d6c69..4d6dc3d0 100644
--- a/php/ctrl/ActivateProducts.php
+++ b/php/ctrl/ActivateProducts.php
@@ -10,18 +10,6 @@
 require_once(__ROOT__ . "php/utilities/dates.php");
 require_once(__ROOT__ . "php/utilities/shop_and_order.php");
 
-
-
-// This controls if the table_manager objects are stored in $_SESSION or not.
-// It looks like doing it cuts down considerably on execution time.
-$use_session_cache = configuration_vars::get_instance()->use_session_cache;
-
-
-
-if (!isset($_SESSION)) {
-    session_start();
- }
-
 //DBWrap::get_instance()->debug = true;
 
 try{
diff --git a/php/ctrl/ActivateRoles.php b/php/ctrl/ActivateRoles.php
index 9a324d73..63b7307d 100644
--- a/php/ctrl/ActivateRoles.php
+++ b/php/ctrl/ActivateRoles.php
@@ -11,12 +11,6 @@
     session_start();
  }
 
-DBWrap::get_instance()->debug = true;
-
-function get_deactivated_roles($member_id)
-{
-
-}
 
 try{
   $op_id = $_SESSION['userdata']['uf_id'];
diff --git a/php/ctrl/Admin.php b/php/ctrl/Admin.php
index 9628d363..57629ece 100644
--- a/php/ctrl/Admin.php
+++ b/php/ctrl/Admin.php
@@ -7,10 +7,6 @@
 require_once __ROOT__ . "php/inc/adminDatabase.php";
 require_once __ROOT__ . "php/utilities/general.php";
 
-if (!isset($_SESSION)) {
-    session_start();
- }
-
 try{
 
 	
diff --git a/php/ctrl/Cookie.php b/php/ctrl/Cookie.php
index 9de45644..9be943b8 100644
--- a/php/ctrl/Cookie.php
+++ b/php/ctrl/Cookie.php
@@ -6,10 +6,6 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . 'php/inc/cookie.inc.php');
 
-if (!isset($_SESSION)) {
-    session_start();
- }
-
 try {
     $cookie = new Cookie();
     $cookie->validate();
@@ -23,9 +19,9 @@
 try {
     if (isset($_REQUEST['change_role_to'])) {
         $new_role = $_REQUEST['change_role_to'];
+        $cookie->change_role($new_role);
         $fp = configuration_vars::get_instance()->forbidden_pages;
-        if (!$uri || 
-            (isset($_SESSION['userdata']) && isset($fp[$new_role]))) {
+        if (!$uri || isset($fp[$new_role])) {
             $forbidden = false;
             foreach($fp[$new_role] as $page) {
                 if (strpos($uri, $page) !== false) {
@@ -36,17 +32,14 @@
             if ($forbidden) 
                 $uri = 'index.php';
         }
-        $cookie->change_role($new_role);
-        printXML('<row><navigation>' . $uri . '</navigation>' .
-		 '<cookie>' . $cookie->package() . '</cookie></row>');
+        printXML('<row><navigation>' . $uri . '</navigation></row>');
         exit;
     }
     
     if (isset($_REQUEST['change_lang_to'])) {
         $new_lang = $_REQUEST['change_lang_to'];
         $cookie->change_language($new_lang);
-        printXML('<row><navigation>' . $uri . '</navigation>' .
-		 '<cookie>' . $cookie->package() . '</cookie></row>');
+        printXML('<row><navigation>' . $uri . '</navigation></row>');
         exit;        
     }
 }
diff --git a/php/ctrl/Dates.php b/php/ctrl/Dates.php
index 6412593e..d2168bed 100644
--- a/php/ctrl/Dates.php
+++ b/php/ctrl/Dates.php
@@ -8,13 +8,6 @@
 require_once(__ROOT__ . "php/utilities/dates.php");
 require_once(__ROOT__ . "php/utilities/general.php");
 
-$use_session_cache = configuration_vars::get_instance()->use_session_cache;
-
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-
 DBWrap::get_instance()->debug = true;
 
 function extract_data($what) {
diff --git a/php/ctrl/ImportExport.php b/php/ctrl/ImportExport.php
index f033e909..421e5136 100644
--- a/php/ctrl/ImportExport.php
+++ b/php/ctrl/ImportExport.php
@@ -28,6 +28,9 @@
 $firephp = FirePHP::getInstance(true);
 
 
+if (!isset($_SESSION)) {
+    session_start();
+}
 
 try{ 
    
@@ -104,7 +107,8 @@
                 }
             }
 			echo $dt->get_html_table();
-			$_SESSION['import_file'] = $path; 
+			$_SESSION['import_file'] = $path;
+            session_commit();
  			exit;
 
  	
diff --git a/php/ctrl/Incidents.php b/php/ctrl/Incidents.php
index 26d48f36..efc98a48 100644
--- a/php/ctrl/Incidents.php
+++ b/php/ctrl/Incidents.php
@@ -8,12 +8,6 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . "php/utilities/incidents.php");
 
-
-
-if (!isset($_SESSION)) {
-    session_start();
-}
-
 try{
 
     switch (get_param('oper')) {
diff --git a/php/ctrl/Login.php b/php/ctrl/Login.php
index 4d98a559..12f0d6c4 100644
--- a/php/ctrl/Login.php
+++ b/php/ctrl/Login.php
@@ -11,10 +11,6 @@
 require_once(__ROOT__ . "php/lib/exceptions.php");
 require_once(__ROOT__ . 'php/inc/cookie.inc.php');
 
-if (!isset($_SESSION)) {
-    session_start();
-}
-
 require_once(__ROOT__ . 'php/external/FirePHPCore/lib/FirePHPCore/FirePHP.class.php');
 ob_start();
 $firephp = FirePHP::getInstance(true);
@@ -70,13 +66,10 @@
 	                               array_values($langs), 
 	                               $current_language_key,
 	                               $theme);
-	
-	          $cookie->set();
 	      }	catch (AuthException $e) {
 		  	header("HTTP/1.1 401 Unauthorized " . $e->getMessage());
 	        die($e->getMessage());
 	      }	
-	      print $cookie->package();
 	      exit; 
 	      	
 	  default:
diff --git a/php/ctrl/Orders.php b/php/ctrl/Orders.php
index da02c4ee..564068d6 100644
--- a/php/ctrl/Orders.php
+++ b/php/ctrl/Orders.php
@@ -8,11 +8,6 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . "php/utilities/orders.php");
 
-
-if (!isset($_SESSION)) {
-    session_start();
-}
-
 try{
 	
 
diff --git a/php/ctrl/Providers.php b/php/ctrl/Providers.php
index 84e6d560..e3a694c8 100644
--- a/php/ctrl/Providers.php
+++ b/php/ctrl/Providers.php
@@ -8,13 +8,6 @@
 require_once(__ROOT__ . "php/inc/database.php");
 require_once(__ROOT__ . "php/utilities/general.php");
 
-
-
-if (!isset($_SESSION)) {
-    session_start();
- }
- 
-
 try{
 
     switch ($_REQUEST['oper']) {
diff --git a/php/ctrl/Report.php b/php/ctrl/Report.php
index 79f05143..f95e8d55 100644
--- a/php/ctrl/Report.php
+++ b/php/ctrl/Report.php
@@ -6,11 +6,6 @@
 require_once(__ROOT__ . "php/inc/database.php");
 require_once(__ROOT__ . "php/utilities/general.php");
 
-
-if (!isset($_SESSION)) {
-    session_start();
-}
-
 try{
 
     switch (get_param('oper')) {
diff --git a/php/ctrl/Shop.php b/php/ctrl/Shop.php
index 0499f408..9dcad716 100644
--- a/php/ctrl/Shop.php
+++ b/php/ctrl/Shop.php
@@ -7,10 +7,6 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . "php/utilities/shop.php");
 
-if (!isset($_SESSION)) {
-    session_start();
-}
-
 try{
 
     switch (get_param('oper')) {
diff --git a/php/ctrl/SmallQ.php b/php/ctrl/SmallQ.php
index 88c74f23..bcdf3bdf 100644
--- a/php/ctrl/SmallQ.php
+++ b/php/ctrl/SmallQ.php
@@ -9,9 +9,6 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . 'local_config/lang/'.get_session_language() . '.php');
 
-if (!isset($_SESSION)) {
-    session_start();
- }
 
 global $Text; 
 
diff --git a/php/ctrl/TableManager.php b/php/ctrl/TableManager.php
index a2d92064..72324ace 100644
--- a/php/ctrl/TableManager.php
+++ b/php/ctrl/TableManager.php
@@ -7,19 +7,9 @@
 require_once(__ROOT__ . "php/inc/database.php");
 require_once(__ROOT__ . "php/utilities/general.php");
 
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-              
 require_once(__ROOT__ . 'local_config/lang/' . get_session_language() . '.php');
 require_once(__ROOT__ . "php/utilities/tables.php");
 
-$use_session_cache = configuration_vars::get_instance()->use_session_cache;
-$use_canned_responses = configuration_vars::get_instance()->use_canned_responses;
-
-
-
 function get_columns_as_JSON()
 {
   global $special_table;
@@ -46,6 +36,10 @@ function get_options()
     if (strlen($options['filter'])>0) {
       $options['filter'] .= ' and ';
     }
+    
+    if (!isset($_SESSION)) {
+        session_start();
+    }
     $uf_id = 1000 + (int)($_SESSION['userdata']['uf_id']);
     $options['filter'] .= "aixada_account.account_id=$uf_id";
     // we do this here so that the user can't hijack other users' account data 
@@ -186,8 +180,7 @@ function post_create_hook($index, $request)
 
   require_once(__ROOT__ . 'php/lib/table_manager.php');
   if (!$special_table)
-    $tm = new table_manager($_REQUEST['table'], 
-			    configuration_vars::get_instance()->use_session_cache);
+    $tm = new table_manager($_REQUEST['table']);
 
   switch ($_REQUEST['oper']) {
   case 'get_by_id':
diff --git a/php/ctrl/UserAndUf.php b/php/ctrl/UserAndUf.php
index 96237a18..504e3105 100644
--- a/php/ctrl/UserAndUf.php
+++ b/php/ctrl/UserAndUf.php
@@ -8,12 +8,6 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . "php/utilities/useruf.php");
 
-
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-
 try{
    
 
diff --git a/php/ctrl/Validate.php b/php/ctrl/Validate.php
index 4aa6137f..89a13428 100644
--- a/php/ctrl/Validate.php
+++ b/php/ctrl/Validate.php
@@ -10,12 +10,6 @@
 require_once(__ROOT__ . "php/utilities/shop_and_order.php");
 require_once(__ROOT__ . "php/lib/validation_cart_manager.php");
 
-$use_session_cache = configuration_vars::get_instance()->use_session_cache;
-
-if (!isset($_SESSION)) {
-    session_start();
- }
-
 DBWrap::get_instance()->debug = true;
 
 try{
diff --git a/php/inc/cookie.inc.php b/php/inc/cookie.inc.php
index 6cc03d79..f8c3edc6 100644
--- a/php/inc/cookie.inc.php
+++ b/php/inc/cookie.inc.php
@@ -6,12 +6,6 @@
 require_once(__ROOT__ . 'php'.DS.'lib'.DS.'exceptions.php');
 require_once(__ROOT__ . 'php'.DS.'inc'.DS.'database.php');
 
-if (!isset($_SESSION)) {
-    session_start();
-}
-
-
-
 /**
  * The following class implements cookies, based on an
  * implementation from George Schlossnagle, Advanced PHP Programming, p.341
@@ -31,39 +25,10 @@
 
 class Cookie {
   // Aixada data
-  private $logged_in = false;
-  private $user_id;
-  private $login;
-  private $uf_id; 
-  private $member_id; 
-  private $provider_id;
-  private $roles;
-  private $current_role;
-  private $language_keys;
-  private $language_names;
-  private $current_language_key;
-  private $theme; 
+  private $session; 
 
-  // Cookie data
-  private $created;
-  private $version;
-  // the mcrypt handle
-  private $td;
-
-  // mcrypt information
-  static $cypher  = 'blowfish';
-  static $mode    = 'cfb';
-  static $key     = 'aIxAdA947AiXaDa';
-
-  // cookie format information
-  static $cookiename = 'USERAUTH';
-  static $myversion  = '1';
-  // when to expire the cookie
-  static $expiration = '6000';
   // when to reissue 
   static $resettime = '3000';
-  static $glue  = '|';
-  static $array_glue = '~';
 
   public function __construct($logged_in=false, 
                               $user_id=false, 
@@ -77,30 +42,27 @@ public function __construct($logged_in=false,
                               $language_names=false, 
                               $current_language_key=false, 
                               $theme=false) {
-      $this->td = mcrypt_module_open(self::$cypher, '', self::$mode, '');
-      if (!$this->td) 
-	  die("<br>Error in opening mcrypt with cypher=".self::$cypher .", mode=".self::$mode."<br>");
+      if (!isset($_SESSION)) {
+          session_cache_expire(120);
+          session_start();
+      }
       if ($logged_in) {
-		  $this->logged_in = true;
-		  $this->user_id = $user_id;
-		  $this->login = $login;
-		  $this->uf_id = $uf_id; 
-		  $this->member_id = $member_id; 
-		  $this->provider_id = $provider_id;
-		  $this->roles = $roles;
-		  $this->current_role = $current_role;
-		  $this->language_keys = $language_keys;
-		  $this->language_names = $language_names;
-		  $this->current_language_key = $current_language_key;
-		  $this->theme = $theme;
-		  return;
-      } else {
-		  if (array_key_exists(self::$cookiename, $_COOKIE)) {
-		      $buffer = $this->_unpackage($_COOKIE[self::$cookiename]);
-		  } else {
-		      var_dump($_COOKIE);
-		      throw new AuthException("Bad cookie");
-		  }
+		  $this->session = array(
+              'user_id' => $user_id,
+              'login' => $login,
+              'uf_id' => $uf_id, 
+              'member_id' => $member_id, 
+              'provider_id' => $provider_id,
+              'roles' => $roles,
+              'current_role' => $current_role,
+              'language_keys' => $language_keys,
+              'language_names' => $language_names,
+              'language' => $current_language_key,
+              'theme' => $theme
+          );
+          $this->save();
+      } else if (isset($_SESSION['userdata'])) {
+          $this->session = $_SESSION['userdata'];
       }
   }
 
@@ -108,23 +70,12 @@ public function __construct($logged_in=false,
    * This function packages, encrypts and sets the cookie. Moreover,
    * it copies all relevant data into $_SESSION['userdata'] 
    */
-  public function set() {
-      $cookie = $this->package();
-      $userdata=array('user_id'      => $this->user_id, 
-		      'login'         => $this->login, 
-		      'uf_id'        => $this->uf_id, 
-		      'member_id'    => $this->member_id, 
-		      'provider_id'  => $this->provider_id,
-		      'roles'   => $this->roles,
-		      'current_role' => $this->current_role,
-		      'language_keys' => $this->language_keys,
-		      'language_names' => $this->language_names,
-		      'language' => $this->current_language_key,
-		      'theme' => $this->theme);
-      $_SESSION['userdata'] = $userdata;
-      $_COOKIE[self::$cookiename] = $cookie;
-      //      setcookie(self::$cookiename, $cookie); 
-      //  don't do this, because it leads to a duplicate cookie.
+  private function save() {
+      if (!isset($this->session)) {
+          throw new AuthException("Bad session");
+      }
+      $_SESSION['userdata'] = $this->session;
+      session_commit();
   }
 
   /**
@@ -133,33 +84,11 @@ public function set() {
    * also set.
    */
   public function validate() {
-    if (!$this->version || !$this->created || !$this->user_id) {
-      throw new AuthException("Malformed cookie");
-    }
-    if ($this->version != self::$myversion) {
-      throw new AuthException("Version mismatch");
-    }
-    if (!$this->logged_in) {
+    if (isset($this->session)) {
+        return $this->session;
+    } else {
         throw new AuthException("Not logged in");
     }
-    if ((time() - $this->created) > self::$resettime) {
-      $this->set();
-    }
-    if (!isset($_SESSION['userdata'])) {
-        $userdata=array('logged_in'    => $this->logged_in,
-                        'user_id'      => $this->user_id, 
-                        'login'        => $this->login, 
-                        'uf_id'        => $this->uf_id, 
-                        'member_id'    => $this->member_id, 
-                        'provider_id'  => $this->provider_id,
-                        'roles'        => $this->roles,
-                        'current_role' => $this->current_role,
-                        'language_keys'     => $this->language_keys,
-                        'language_names'     => $this->language_names,
-                        'language' => $this->current_language_key,
-						'theme' => $this->theme);
-      $_SESSION['userdata'] = $userdata;
-    }
   }
 
 
@@ -168,9 +97,11 @@ public function validate() {
    * is written to the cookie and to $_SESSION['userdata'].
    */
   public function change_role($new_role) {
-      $this->current_role   = $new_role;
-      $_SESSION['userdata']['current_role']   = $this->current_role;
-      $this->set();
+      if (!in_array($new_role, $this->session['roles'])) {
+          throw new AuthException("Not logged in role");
+      }
+      $this->session['current_role'] =  $new_role;
+      $this->save();
   }
 
   /**
@@ -178,108 +109,14 @@ public function change_role($new_role) {
    * is written to the cookie and to $_SESSION['userdata'].
    */
   public function change_language($new_language_key) {
-      $this->current_language_key = $new_language_key;
-      $_SESSION['userdata']['language'] = $this->current_language_key;
-      $this->set();
-  }
-
-  public function logout() {
-    unset($_SESSION['userdata']);
-    unset($_COOKIE[self::$cookiename]);
-    setcookie(self::$cookiename, '', time() - 3600);
-    /* $this->logged_in = false; */
-    /* $this->user_id=false;  */
-    /* $this->login = false;  */
-    /* $this->uf_id=false;  */
-    /* $this->member_id=false;  */
-    /* $this->provider_id=false;  */
-    /* $this->roles=false;  */
-    /* $this->current_role=false;  */
-    /* $this->language_keys=false;  */
-    /* $this->language_names=false;  */
-    /* $this->current_language_key=false;  */
-    /* $this->theme=false; */
-
-    /* $this->set(); */
-  }
-
-  /**
-   *  Package the cookie. 
-   */
-  public function package() {
-      if ($this->logged_in) {
-	  $parts = array(self::$myversion, 
-			 time(), 
-			 $this->logged_in,
-			 $this->user_id, 
-			 $this->login,
-			 $this->uf_id, 
-			 $this->member_id, 
-			 $this->provider_id,
-			 implode(self::$array_glue, $this->roles),
-			 $this->current_role,
-			 implode(self::$array_glue, $this->language_keys),
-			 implode(self::$array_glue, $this->language_names),
-			 $this->current_language_key,
-			 $this->theme);
-	  $cookie = implode(self::$glue, $parts);
-      } else {
-	  $cookie = 'x';
+      if (!in_array($new_language_key, $this->session['language_keys'])) {
+          throw new AuthException("Language is not valid");
       }
-      return urlencode($this->_encrypt($cookie));
+      $this->session['language'] = $new_language_key;
+      $this->save();
   }
 
-  private function _unpackage($cookie) {
-      if ($cookie == '') {
-	  $this->logout();
-	  return;
-      }
-      $buffer = $this->_decrypt(urldecode($cookie));
-      list($this->version, 
-	   $this->created, 
-	   $this->logged_in,
-	   $this->user_id, 
-	   $this->login,
-	   $this->uf_id, 
-	   $this->member_id, 
-	   $this->provider_id, 
-	   $role_array,
-	   $this->current_role,
-	   $lang_key_array,
-	   $lang_name_array,
-	   $this->current_language_key,
-	   $this->theme) = explode(self::$glue, $buffer);
-        
-      $this->roles = explode(self::$array_glue, $role_array);
-      $this->language_keys = explode(self::$array_glue, $lang_key_array);
-      $this->language_names = explode(self::$array_glue, $lang_name_array);
-      if ($this->version != self::$myversion || !$this->created || ! $this->user_id) {
-	  throw new AuthException();
-      }
-  }
-
-  protected function _encrypt($plaintext) {
-      $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($this->td), MCRYPT_RAND);
-      if (!$iv) throw new AuthException("error in iv ");
-      mcrypt_generic_init($this->td, self::$key, $iv);
-      $crypttext = mcrypt_generic($this->td, $plaintext);
-      mcrypt_generic_deinit($this->td);
-      return $iv.$crypttext;
-  }
-
-  protected function _decrypt($crypttext) {
-      $ivsize = mcrypt_enc_get_iv_size($this->td);
-      $iv = substr($crypttext, 0, $ivsize);
-      $subtext = substr($crypttext, $ivsize);
-      mcrypt_generic_init($this->td, self::$key, $iv);
-      $plaintext = mdecrypt_generic ($this->td, $subtext);
-      mcrypt_generic_deinit($this->td);
-      return $plaintext;
-  }
-
-  private function _reissue() {
-      $this->created = time();
+  public function logout() {
+    session_destroy();
   }
-
 }
-?>
\ No newline at end of file
diff --git a/php/inc/database.php b/php/inc/database.php
index 301311bf..2c1dd73c 100644
--- a/php/inc/database.php
+++ b/php/inc/database.php
@@ -19,11 +19,6 @@
 require_once(__ROOT__ . 'php'.DS.'utilities'.DS.'general.php');
 require_once(__ROOT__ . 'php'.DS.'lib'.DS.'exceptions.php');
 
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-
 require_once(__ROOT__ . 'local_config'.DS.'lang'.DS. get_session_language() . '.php');
 
 
@@ -307,8 +302,6 @@ public function Insert ($arrData)
 	  }
       }
       $strSQL .= ') ' . $strVAL . ');';
-      if (isset($_SESSION['fkeys'][$table_name]))
-	  unset($_SESSION['fkeys'][$table_name]);
       return $this->do_Execute($strSQL); // TODO: extract new index
   }
 
@@ -343,8 +336,6 @@ public function Update($arrData)
 	  }
       }
       $strSQL .= ' WHERE id=' . $this->mysqli->real_escape_string($arrData['id']) . ';';
-      if (isset($_SESSION['fkeys'][$table_name]))
-	  unset($_SESSION['fkeys'][$table_name]);
       
       $success = $this->do_Execute($strSQL);
     
diff --git a/php/inc/header.inc.php b/php/inc/header.inc.php
index ff1afcce..e7a53357 100644
--- a/php/inc/header.inc.php
+++ b/php/inc/header.inc.php
@@ -11,6 +11,9 @@
    try {
        $cookie = new Cookie();
        $cookie->validate();
+       if (!isset($_SESSION)) {
+           session_start();
+       }
        if (isset($_SESSION['userdata']) 
 	   and isset($_SESSION['userdata']['current_role']) 
 	   and $_SESSION['userdata']['current_role'] !== false) {
@@ -25,11 +28,6 @@
 	       }
 	   }
 	   if ($forbidden) {
-	       /* $firephp->log('forbidden'); */
-	       /* $firephp->log($uri, 'uri'); */
-	       /* $firephp->log($role, 'role'); */
-	       /* $firephp->log($_SESSION, 'session'); */
-	       /* $firephp->log($_SERVER, 'server'); */
 	       header("Location: index.php");
 	   }
      }
diff --git a/php/inc/menu.inc.php b/php/inc/menu.inc.php
index 860db6f7..ae4ed7c5 100644
--- a/php/inc/menu.inc.php
+++ b/php/inc/menu.inc.php
@@ -1,49 +1,55 @@
 <div id="logonStatus">
 	<p class="ui-widget">
-		<?php 
+<?php 
+    if (!isset($_SESSION)) {
+        session_start();
+    }
+    if ($_SESSION['userdata']['login'] != '') {
+        // Help
+        echo '<a href="docs/index_' . get_session_language() . '.php" target="_blank">' .
+            $Text['nav_help'] . '</a> | ';	
+        
+        // Login name and uf_id
+        echo  $Text['nav_signedIn'] . " " . $_SESSION['userdata']['login'] . 
+            " | " . $Text['uf_long'] . ' ' . $_SESSION['userdata']['uf_id'] .
+            " | " . $_SESSION['userdata']['provider_id'];
+        
+        // Select rol
+        echo '<select size="0" name="role_select" id="role_select">';
+        foreach ($_SESSION['userdata']['roles'] as $role) {
+            echo '<option';
+            $rt = (isset($Text[$role]) ? $Text[$role] : "TRANSLATE[$role]");
+            if ($role == $_SESSION['userdata']['current_role']) {
+                echo ' selected';
+            }
+            echo ' value="' . $role. '">' . $rt . '</option>'; 
+        } 
+        echo '</select> ';
 
-   	if ($_SESSION['userdata']['login'] != '') {
+        // Select lang
+        $cfg_use_shop = get_config('use_shop', 'order_and_stock');
+        if (get_config('show_menu_language_select', false)) {
+            echo '<select size="0" name="lang_select" id="lang_select">';
+            $keys = $_SESSION['userdata']['language_keys'];
+            $names = $_SESSION['userdata']['language_names'];
+            for ($i=0; $i < count($keys); $i++) {
+                echo '<option';
+                if ($keys[$i] == $_SESSION['userdata']['language']) {
+                    echo ' selected';
+                }
+                echo ' value="' . $keys[$i]. '">' . $names[$i] . '</option>'; 
+            } 
+            echo '</select> ';
+        }
+        echo " | ";
 
-   		echo '<a href="docs/index_'.get_session_language().'.php" target="_blank">'.$Text['nav_help'].'</a> | ';	
-   	if (isset($_SESSION['userdata']['can_checkout']) and
-           $_SESSION['userdata']['can_checkout']) {
-           echo '<font color="red">' . $Text['nav_can_checkout'] . '</font> ';
-       }
-     echo  $Text['nav_signedIn'] . " " . $_SESSION['userdata']['login'] . " | "
-       . $Text['uf_long'] . ' ' . $_SESSION['userdata']['uf_id'] . " | " 
-       . $_SESSION['userdata']['provider_id'];
-     echo '<select size="0" name="role_select" id="role_select">';
-     foreach ($_SESSION['userdata']['roles'] as $role) {
-       echo '<option';
-       $rt = (isset($Text[$role]) ? $Text[$role] : "TRANSLATE[$role]");
-       if ($role == $_SESSION['userdata']['current_role'])
-	 echo ' selected';
-       echo ' value="' . $role. '">' . $rt . '</option>'; 
-     } 
-     echo '</select> ';
-     
-     $cfg_use_shop = get_config('use_shop', 'order_and_stock');
-     if (get_config('show_menu_language_select', false)) {
-	     echo '<select size="0" name="lang_select" id="lang_select">';
-	       $keys = $_SESSION['userdata']['language_keys'];
-	       $names = $_SESSION['userdata']['language_names'];
-	       for ($i=0; $i < count($keys); $i++) {
-	           echo '<option';
-	           if ($keys[$i] == $_SESSION['userdata']['language'])
-	               echo ' selected';
-	           echo ' value="' . $keys[$i]. '">' . $names[$i] . '</option>'; 
-	       } 
-	     echo '</select> ';
-     }
-       echo " | ";
-      
-      
-	 echo "<a href='javascript:void(null)' id='logoutRef'>".$Text['nav_logout']."</a>";
- 
-   } else {
-     echo ("userdata not set");
-     header('Location:login.php');
-   }
+        // logout
+        echo "<a href='javascript:void(null)' id='logoutRef'>" .
+            $Text['nav_logout'] . "</a>";
+    } else {
+        echo "userdata not set";
+        header('Location:login.php');
+    }
 
 ?>
 	</p>
diff --git a/php/lib/report_manager.php b/php/lib/report_manager.php
index 36633b41..20b73650 100644
--- a/php/lib/report_manager.php
+++ b/php/lib/report_manager.php
@@ -9,10 +9,6 @@
 require_once(__ROOT__ . 'local_config/config.php');
 require_once(__ROOT__ . 'php'.DS.'utilities'.DS.'general.php');
 
-if (!isset($_SESSION)) {
-    session_start();
- }
-
 require_once(__ROOT__ . 'local_config'.DS.'lang'.DS. get_session_language() . '.php');
 require_once(__ROOT__ . 'php/inc/database.php');
 
diff --git a/php/lib/report_orders.php b/php/lib/report_orders.php
index 71425b5c..d455652f 100644
--- a/php/lib/report_orders.php
+++ b/php/lib/report_orders.php
@@ -4,9 +4,6 @@
  */
 require_once(__ROOT__ . 'local_config/config.php');
 require_once(__ROOT__ . 'php/utilities/general.php');
-if (!isset($_SESSION)) {
-    session_start();
-}
 require_once(__ROOT__ . 'local_config/lang/' . get_session_language() . '.php');
 require_once(__ROOT__ . 'php/inc/database.php');
 
diff --git a/php/utilities/general.php b/php/utilities/general.php
index 98a2415d..b484902c 100644
--- a/php/utilities/general.php
+++ b/php/utilities/general.php
@@ -9,11 +9,13 @@
  * the value is set. 
  */
 function get_session_user_id() {
-	
+	if (!isset($_SESSION)) {
+        session_start();
+    }
 	if (isset($_SESSION['userdata']['user_id']) && $_SESSION['userdata']['user_id'] > 0 ) {
 		return $_SESSION['userdata']['user_id'];
 	} else {
-		throw new Exception("$_Session data user_id is not set!! ");
+		throw new Exception("Session data user_id is not set!! ");
 	}
 }
 
@@ -23,11 +25,13 @@ function get_session_user_id() {
  * returns the uf of the logged user. 
  */
 function get_session_uf_id() {
-	
+	if (!isset($_SESSION)) {
+        session_start();
+    }
 	if (isset($_SESSION['userdata']['uf_id']) && $_SESSION['userdata']['uf_id'] > 0 ) {
 		return $_SESSION['userdata']['uf_id'];
 	} else {
-		throw new Exception("$_Session data uf_id is not set!! ");
+		throw new Exception("Session data uf_id is not set!! ");
 	}
 }
 
@@ -37,11 +41,13 @@ function get_session_uf_id() {
  * Returns the member_id of the logged user. 
  */
 function get_session_member_id() {
-	
+	if (!isset($_SESSION)) {
+        session_start();
+    }
 	if (isset($_SESSION['userdata']['member_id']) && $_SESSION['userdata']['member_id'] > 0 ) {
 		return $_SESSION['userdata']['member_id'];
 	} else {
-		throw new Exception("$_Session data member_id is not set!! ");
+		throw new Exception("Session data member_id is not set!! ");
 	}	
 }
 
@@ -50,11 +56,13 @@ function get_session_member_id() {
  * Returns the login of the logged user. 
  */
 function get_session_login() {
-	
+	if (!isset($_SESSION)) {
+        session_start();
+    }
 	if (isset($_SESSION['userdata']['login']) && $_SESSION['userdata']['login'] != "") {
 		return $_SESSION['userdata']['login'];
 	} else {
-		throw new Exception("$_Session data login is not set!! ");
+		throw new Exception("Session data login is not set!! ");
 	}	
 }
 
@@ -64,10 +72,13 @@ function get_session_login() {
  * returns the language for the logged user
  */
 function get_session_language() {
+    if (!isset($_SESSION)) {
+        session_start();
+    }
     if (isset($_SESSION['userdata']['language']) and $_SESSION['userdata']['language'] != '') {
-	return $_SESSION['userdata']['language'];
+        return $_SESSION['userdata']['language'];
     } else {
-	return	configuration_vars::get_instance()->default_language;
+        return configuration_vars::get_instance()->default_language;
     }
 }
 
@@ -77,6 +88,9 @@ function get_session_language() {
  * returns the theme for the logged user
  */
 function get_session_theme() {
+    if (!isset($_SESSION)) {
+        session_start();
+    }
     if (isset($_SESSION['userdata']['theme']) and $_SESSION['userdata']['theme'] != '') {
 		return $_SESSION['userdata']['theme'];
     } else {
@@ -91,6 +105,9 @@ function get_session_theme() {
  */
 function get_current_role()
 {
+    if (!isset($_SESSION)) {
+        session_start();
+    }
 	 if (isset($_SESSION['userdata']['current_role']) and $_SESSION['userdata']['current_role'] != '') {
 		return $_SESSION['userdata']['current_role'];
     } else {

From f10b2b6326b504e05331ae6cba8ec5f44441bb70 Mon Sep 17 00:00:00 2001
From: jorix <xavier.mamano@gmail.com>
Date: Sat, 8 Dec 2018 19:25:39 +0100
Subject: [PATCH 2/5] Review code used by old cookie.

* Use php/ctrl/AixadaSession.php instead of Cookie.php
* Moves old part of code /inc/cookie.inc.php to /utilities/general.php
* Remove usage of `$_SESSION` in favor of the new code in `general.php`
* Use `validate_session()` in the controllers **to prevent its use without being logged in**.
---
 activate_roles.php                      |   5 +-
 js/aixadautilities/jquery.aixadaMenu.js |   4 +-
 login.php                               |   3 -
 manage_data.php                         |  10 +-
 manage_ufmember.php                     |   5 +-
 php/ctrl/Account.php                    |   2 +
 php/ctrl/ActivateProducts.php           |   3 +-
 php/ctrl/ActivateRoles.php              |   8 +-
 php/ctrl/Admin.php                      |   2 +-
 php/ctrl/AixadaSession.php              |  47 +++++++
 php/ctrl/Cookie.php                     |  53 --------
 php/ctrl/Dates.php                      |   2 +
 php/ctrl/ImportExport.php               |   8 +-
 php/ctrl/Incidents.php                  |   8 ++
 php/ctrl/InstallAixada.php              |   2 +-
 php/ctrl/Login.php                      |   6 +-
 php/ctrl/ManageData.php                 |   5 +-
 php/ctrl/Orders.php                     |   2 +-
 php/ctrl/Providers.php                  |   1 +
 php/ctrl/Report.php                     |   1 +
 php/ctrl/Shop.php                       |   1 +
 php/ctrl/ShopAndOrder.php               |  15 +--
 php/ctrl/SmallQ.php                     |   5 +-
 php/ctrl/Statistics.php                 |  13 +-
 php/ctrl/TableManager.php               |  11 +-
 php/ctrl/UserAndUf.php                  |   2 +-
 php/ctrl/Validate.php                   |   2 +-
 php/inc/cookie.inc.php                  | 122 -----------------
 php/inc/header.inc.base.php             |   6 +-
 php/inc/header.inc.php                  |  13 +-
 php/inc/menu.inc.php                    |  23 ++--
 php/utilities/general.php               | 172 ++++++++++++++++--------
 32 files changed, 225 insertions(+), 337 deletions(-)
 create mode 100644 php/ctrl/AixadaSession.php
 delete mode 100644 php/ctrl/Cookie.php
 delete mode 100644 php/inc/cookie.inc.php

diff --git a/activate_roles.php b/activate_roles.php
index 3079d029..87254999 100644
--- a/activate_roles.php
+++ b/activate_roles.php
@@ -16,10 +16,7 @@
  	<script type="text/javascript" src="js/jqueryui/i18n/jquery.ui.datepicker-<?=$language;?>.js" ></script>
    
     <?php 
-        if (!isset($_SESSION)) {
-            session_start();
-        }
-        $the_role = $_SESSION['userdata']['current_role'];
+        $the_role = get_current_role();
     ?>
 	<script type="text/javascript">
 	$(function(){
diff --git a/js/aixadautilities/jquery.aixadaMenu.js b/js/aixadautilities/jquery.aixadaMenu.js
index 6e7aac37..c3249508 100644
--- a/js/aixadautilities/jquery.aixadaMenu.js
+++ b/js/aixadautilities/jquery.aixadaMenu.js
@@ -54,7 +54,7 @@ $(function(){
 		var rq_uri = window.location;
    		$.ajaxQueue({
    			type: "POST",
-            url: "php/ctrl/Cookie.php?change_role_to=" + new_role + "&originating_uri=" + rq_uri,
+            url: "php/ctrl/AixadaSession.php?change_role_to=" + new_role + "&originating_uri=" + rq_uri,
             dataType: "xml",
             success:  function(xml){
 		window.location.href = $(xml).find('navigation').text(); 
@@ -86,7 +86,7 @@ $(function(){
 		var rq_uri = window.location;
    		$.ajaxQueue({
    			type: "POST",
-            url: "php/ctrl/Cookie.php?change_lang_to=" + new_lang + "&originating_uri=" + rq_uri,
+            url: "php/ctrl/AixadaSession.php?change_lang_to=" + new_lang + "&originating_uri=" + rq_uri,
             dataType: "xml",
             success:  function(xml){
             window.location.href = $(xml).find('navigation').text();
diff --git a/login.php b/login.php
index f33f8d6e..230c97f4 100644
--- a/login.php
+++ b/login.php
@@ -39,9 +39,6 @@
 	<script type="text/javascript">
 		$(function(){
 			$.ajaxSetup({ cache: false });
-
-			document.cookie = 'USERAUTH=';
-			
 			/**
 			 *	logon stuff
 			 */
diff --git a/manage_data.php b/manage_data.php
index 75b1d527..2a14a013 100644
--- a/manage_data.php
+++ b/manage_data.php
@@ -15,8 +15,7 @@ function check_manager_exist($table_name) {
     }
     
 	/**
-	 * This function looks at the current_role written to the
-	 * cookie and the $_SESSION['userdata'] to determine if the table
+	 * This function looks at the current_role to determine if the table
 	 * currently requested may be edited by the user in the current role.
 	 */
     function may_edit_table($data_table) {
@@ -25,12 +24,9 @@ function may_edit_table($data_table) {
         if ($prefix !== 'aixada') {
             $table_aux = '_' . $prefix.$table_aux;
         }
-        if (!isset($_SESSION)) {
-            session_start();
-        }
-        if (isset($_SESSION['userdata'])) {
+        if (is_created_session()) {
             $rights_of = get_config('rights_of');
-            $current_role = $_SESSION['userdata']['current_role'];
+            $current_role = get_current_role();
             if (in_array('may_edit' . $table_aux, $rights_of[$current_role])) {
                 return true;
             }
diff --git a/manage_ufmember.php b/manage_ufmember.php
index 2091c6b9..7b28264d 100644
--- a/manage_ufmember.php
+++ b/manage_ufmember.php
@@ -43,10 +43,7 @@
 
 		//show/hide reset pwd. 
 		var isAdmin = "<?php
-            if (!isset($_SESSION)) {
-                session_start();
-            }
-            echo $_SESSION['userdata']['current_role'];
+            echo get_current_role();
         ?>";
 		isAdmin = (isAdmin == "Hacker Commission")? true:false; 
 
diff --git a/php/ctrl/Account.php b/php/ctrl/Account.php
index eb8badac..5dd5b449 100644
--- a/php/ctrl/Account.php
+++ b/php/ctrl/Account.php
@@ -9,6 +9,8 @@
 require_once(__ROOT__ . "php/lib/account_operations.php");
 
 try{ 
+    validate_session(); // The user must be logged in.
+    
    	$ao = new account_operations();
  	switch ($_REQUEST['oper']) {
         case 'getAccounts':
diff --git a/php/ctrl/ActivateProducts.php b/php/ctrl/ActivateProducts.php
index 4d6dc3d0..bdf2cb06 100644
--- a/php/ctrl/ActivateProducts.php
+++ b/php/ctrl/ActivateProducts.php
@@ -13,7 +13,8 @@
 //DBWrap::get_instance()->debug = true;
 
 try{
-	
+  validate_session(); // The user must be logged in.
+  
   switch($_REQUEST['oper']) {
   	
 	  case 'listAllOrderableProviders':
diff --git a/php/ctrl/ActivateRoles.php b/php/ctrl/ActivateRoles.php
index 63b7307d..128b2fce 100644
--- a/php/ctrl/ActivateRoles.php
+++ b/php/ctrl/ActivateRoles.php
@@ -7,13 +7,9 @@
 require_once(__ROOT__ . "php/inc/database.php");
 require_once(__ROOT__ . "php/utilities/general.php");
 
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-
 try{
-  $op_id = $_SESSION['userdata']['uf_id'];
+  validate_session(); // The user must be logged in.
+    
   $user_id = isset($_REQUEST['user_id']) ? $_REQUEST['user_id'] : '';
 
 
diff --git a/php/ctrl/Admin.php b/php/ctrl/Admin.php
index 57629ece..be3a3c25 100644
--- a/php/ctrl/Admin.php
+++ b/php/ctrl/Admin.php
@@ -8,7 +8,7 @@
 require_once __ROOT__ . "php/utilities/general.php";
 
 try{
-
+  validate_session(); // The user must be logged in.
 	
   switch (get_param('oper')) {
 	
diff --git a/php/ctrl/AixadaSession.php b/php/ctrl/AixadaSession.php
new file mode 100644
index 00000000..4f8e2ab3
--- /dev/null
+++ b/php/ctrl/AixadaSession.php
@@ -0,0 +1,47 @@
+<?php
+
+define('DS', DIRECTORY_SEPARATOR);
+define('__ROOT__', dirname(dirname(dirname(__FILE__))).DS); 
+
+require_once __ROOT__ . 'php/lib/exceptions.php';
+require_once __ROOT__ . 'php/utilities/general.php';
+
+try {
+
+    $uri = (isset($_REQUEST['originating_uri']) ? $_REQUEST['originating_uri'] : 'index.php');
+    if (isset($_REQUEST['change_role_to'])) {
+        $new_role = $_REQUEST['change_role_to'];
+        if (is_created_session()) {
+            change_session_role($new_role);
+            $fp = get_config('forbidden_pages');
+            if (!$uri || isset($fp[$new_role])) {
+                foreach($fp[$new_role] as $page) {
+                    if (strpos($uri, $page) !== false) {
+                        $uri = 'index.php';
+                        break;
+                    }
+                }
+            }
+        } else {
+            $uri = 'login.php';
+        }
+        printXML('<row><navigation>' . $uri . '</navigation></row>');
+        exit;
+    }
+    
+    if (isset($_REQUEST['change_lang_to'])) {
+        $new_lang = $_REQUEST['change_lang_to'];
+        if (is_created_session()) {
+            change_session_language($new_lang);
+        } else {
+            $uri = 'login.php';
+        }
+        printXML('<row><navigation>' . $uri . '</navigation></row>');
+        exit;        
+    }
+}
+
+catch(Exception $e) {
+  header('HTTP/1.0 401 ' . $e->getMessage());
+  die($e->getMessage());
+}  
diff --git a/php/ctrl/Cookie.php b/php/ctrl/Cookie.php
deleted file mode 100644
index 9be943b8..00000000
--- a/php/ctrl/Cookie.php
+++ /dev/null
@@ -1,53 +0,0 @@
-<?php
-
-define('DS', DIRECTORY_SEPARATOR);
-define('__ROOT__', dirname(dirname(dirname(__FILE__))).DS); 
-
-require_once(__ROOT__ . "php/utilities/general.php");
-require_once(__ROOT__ . 'php/inc/cookie.inc.php');
-
-try {
-    $cookie = new Cookie();
-    $cookie->validate();
-    $uri = (isset($_REQUEST['originating_uri']) ? $_REQUEST['originating_uri'] : 'index.php');
-}   
-catch (AuthException $e) {
-    header('HTTP/1.0 401 ' . $e->getMessage());
-    die($e->getMessage());
-}
-
-try {
-    if (isset($_REQUEST['change_role_to'])) {
-        $new_role = $_REQUEST['change_role_to'];
-        $cookie->change_role($new_role);
-        $fp = configuration_vars::get_instance()->forbidden_pages;
-        if (!$uri || isset($fp[$new_role])) {
-            $forbidden = false;
-            foreach($fp[$new_role] as $page) {
-                if (strpos($uri, $page) !== false) {
-                    $forbidden = true;
-                    break;
-                }
-            }
-            if ($forbidden) 
-                $uri = 'index.php';
-        }
-        printXML('<row><navigation>' . $uri . '</navigation></row>');
-        exit;
-    }
-    
-    if (isset($_REQUEST['change_lang_to'])) {
-        $new_lang = $_REQUEST['change_lang_to'];
-        $cookie->change_language($new_lang);
-        printXML('<row><navigation>' . $uri . '</navigation></row>');
-        exit;        
-    }
-}
-
-catch(Exception $e) {
-  header('HTTP/1.0 401 ' . $e->getMessage());
-  die($e->getMessage());
-}  
-
-
-?>
\ No newline at end of file
diff --git a/php/ctrl/Dates.php b/php/ctrl/Dates.php
index d2168bed..7808d3a7 100644
--- a/php/ctrl/Dates.php
+++ b/php/ctrl/Dates.php
@@ -15,6 +15,8 @@ function extract_data($what) {
 }
 
 try{
+    validate_session(); // The user must be logged in.
+    
     $oper = extract_data('oper');
     $date = extract_data('date');
 
diff --git a/php/ctrl/ImportExport.php b/php/ctrl/ImportExport.php
index 421e5136..9fc8fedf 100644
--- a/php/ctrl/ImportExport.php
+++ b/php/ctrl/ImportExport.php
@@ -27,13 +27,9 @@
 ob_start();
 $firephp = FirePHP::getInstance(true);
 
-
-if (!isset($_SESSION)) {
-    session_start();
-}
-
 try{ 
-   
+	validate_session(); // The user must be logged in.
+
 	global $firephp; 
 	
  	switch (get_param('oper')) {
diff --git a/php/ctrl/Incidents.php b/php/ctrl/Incidents.php
index efc98a48..227a3064 100644
--- a/php/ctrl/Incidents.php
+++ b/php/ctrl/Incidents.php
@@ -9,7 +9,15 @@
 require_once(__ROOT__ . "php/utilities/incidents.php");
 
 try{
+    if (get_param('oper') === 'getIncidentsListing' && 
+        get_param('type', 1) == 3 // Incident sent to portal (used in login.php)
+    ) {
+        echo get_incidents_in_range(get_param('filter', 'prev2Month'), get_param('fromDate',0), get_param('toDate',0), get_param('type',1) );
+	    exit; 
+    }
 
+    validate_session(); // For all other requests, the user must be logged in
+    
     switch (get_param('oper')) {
     	    	
     	 case 'getIncidentTypes':
diff --git a/php/ctrl/InstallAixada.php b/php/ctrl/InstallAixada.php
index b54e7386..a2a976fb 100644
--- a/php/ctrl/InstallAixada.php
+++ b/php/ctrl/InstallAixada.php
@@ -65,7 +65,7 @@
                 ));
             } else {
                 // Do it!
-                $results .= "\n\nDone by: '{$_SESSION['userdata']['login']}' at " . date('Y-m-d H:i:s') . "\n\n";
+                $results .= "\n\nDone by: '" . get_session_login() . "' at " . date('Y-m-d H:i:s') . "\n\n";
                 
                 // Do a previous backup.
                 $results .= "\nA database backup has been created as:\n  "  .
diff --git a/php/ctrl/Login.php b/php/ctrl/Login.php
index 12f0d6c4..a8b0caf9 100644
--- a/php/ctrl/Login.php
+++ b/php/ctrl/Login.php
@@ -9,7 +9,6 @@
 require_once(__ROOT__ . "php/inc/authentication.inc.php");
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . "php/lib/exceptions.php");
-require_once(__ROOT__ . 'php/inc/cookie.inc.php');
 
 require_once(__ROOT__ . 'php/external/FirePHPCore/lib/FirePHPCore/FirePHP.class.php');
 ob_start();
@@ -25,8 +24,7 @@
 	  case 'logout':
 	      try {
 		  	  //global $firephp;
-	        $cookie=new Cookie();
-	        $cookie->logout();
+	        logout_session();
 		  	$h = 'Location:' . __ROOT__ . 'login.php';
 	      } 
 	      catch (AuthException $e) {
@@ -54,7 +52,7 @@
 	               $theme) = $auth->check_credentials(get_param('login'), get_param('password'));
 	      	  
 	          $langs = existing_languages();
-	          $cookie = new Cookie(true, 
+	          create_session( 
 	                               $user_id, 
 	                               $login, 
 	                               $uf_id, 
diff --git a/php/ctrl/ManageData.php b/php/ctrl/ManageData.php
index b32730f2..d01478f1 100644
--- a/php/ctrl/ManageData.php
+++ b/php/ctrl/ManageData.php
@@ -6,9 +6,6 @@
 require_once(__ROOT__ . "php/inc/database.php");
 require_once(__ROOT__ . "php/utilities/general.php");
 
-if (!isset($_SESSION)) {
-    session_start();
-}
 $table_name = get_param('table');
 $oper = get_param('oper');
 if ($oper) {
@@ -16,6 +13,8 @@
         include_once(__ROOT__."php/ctrl/ManageData/{$table_name}.php");
         $data_manager = new data_manager();
         try {
+            validate_session(); // The user must be logged in.
+            
             switch ($oper) {
             case 'edit':
                 echo $data_manager->update($_REQUEST);
diff --git a/php/ctrl/Orders.php b/php/ctrl/Orders.php
index 564068d6..8e2533c0 100644
--- a/php/ctrl/Orders.php
+++ b/php/ctrl/Orders.php
@@ -9,7 +9,7 @@
 require_once(__ROOT__ . "php/utilities/orders.php");
 
 try{
-	
+	validate_session(); // The user must be logged in.
 
     switch (get_param('oper')) {
     	
diff --git a/php/ctrl/Providers.php b/php/ctrl/Providers.php
index e3a694c8..e86f920e 100644
--- a/php/ctrl/Providers.php
+++ b/php/ctrl/Providers.php
@@ -9,6 +9,7 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 
 try{
+    validate_session(); // The user must be logged in.
 
     switch ($_REQUEST['oper']) {
 
diff --git a/php/ctrl/Report.php b/php/ctrl/Report.php
index f95e8d55..25444fb1 100644
--- a/php/ctrl/Report.php
+++ b/php/ctrl/Report.php
@@ -7,6 +7,7 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 
 try{
+    validate_session(); // The user must be logged in.
 
     switch (get_param('oper')) {
     	
diff --git a/php/ctrl/Shop.php b/php/ctrl/Shop.php
index 9dcad716..2c864d48 100644
--- a/php/ctrl/Shop.php
+++ b/php/ctrl/Shop.php
@@ -8,6 +8,7 @@
 require_once(__ROOT__ . "php/utilities/shop.php");
 
 try{
+    validate_session(); // The user must be logged in.
 
     switch (get_param('oper')) {
     	
diff --git a/php/ctrl/ShopAndOrder.php b/php/ctrl/ShopAndOrder.php
index e4796de9..6fb42cd4 100644
--- a/php/ctrl/ShopAndOrder.php
+++ b/php/ctrl/ShopAndOrder.php
@@ -9,17 +9,10 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . "php/utilities/shop_and_order.php");
 
-
-
-
-if (!isset($_SESSION)) {
-    session_start();
-}
-
 DBWrap::get_instance()->debug = true;
 
 try{
-	
+	validate_session(); // The user must be logged in.
 	
     // first we process those requests that don't need to construct a cart manager
     switch (get_param('oper')) {
@@ -108,17 +101,17 @@
     switch (get_param('what', $default='')) {
 	    case 'Shop':
 	        require_once(__ROOT__ . "php/lib/shop_cart_manager.php");
-	        $cm = new shop_cart_manager($_SESSION['userdata']['uf_id'], get_param('date')); 
+	        $cm = new shop_cart_manager(get_session_uf_id(), get_param('date')); 
 	        break;
 	      
 	    case 'Order':
 	        require_once(__ROOT__ . "php/lib/order_cart_manager.php");
-	        $cm = new order_cart_manager($_SESSION['userdata']['uf_id'], get_param('date')); 
+	        $cm = new order_cart_manager(get_session_uf_id(), get_param('date')); 
 	        break;
 	      
 	    case 'favorite_order':
 	        require_once(__ROOT__ . "php/lib/favorite_order_cart_manager.php");
-	        $cm = new favorite_order_cart_manager($_SESSION['userdata']['uf_id'], get_param('name')); 
+	        $cm = new favorite_order_cart_manager(get_session_uf_id(), get_param('name')); 
 	        break;
 	      
 	    default:
diff --git a/php/ctrl/SmallQ.php b/php/ctrl/SmallQ.php
index bcdf3bdf..9f2df654 100644
--- a/php/ctrl/SmallQ.php
+++ b/php/ctrl/SmallQ.php
@@ -13,7 +13,8 @@
 global $Text; 
 
 try{
-
+    validate_session(); // The user must be logged in.
+    
     switch ($_REQUEST['oper']) {
 
 	    case 'configMenu':
@@ -37,7 +38,7 @@
 	        printXML(existing_languages_XML());
 	        exit;
 	        
-	    //returns a list of all active providers for shopping (ony name and id). 
+	    //returns a list of all active providers for shopping (only name and id). 
 		case 'getActiveProviders':
 			printXML(stored_query_XML_fields('get_all_active_providers'));
 			exit;
diff --git a/php/ctrl/Statistics.php b/php/ctrl/Statistics.php
index eeeb4c76..8495937b 100644
--- a/php/ctrl/Statistics.php
+++ b/php/ctrl/Statistics.php
@@ -6,19 +6,10 @@
 
 require_once(__ROOT__ . "php/utilities/statistics.php");
 require_once(__ROOT__ . "php/utilities/visualization.php");
-
-
-$use_session_cache = true; 
-// This controls if the table_manager objects are stored in $_SESSION or not.
-// It looks like doing it cuts down considerably on execution time.
-
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-//DBWrap::get_instance()->debug = true;
+require_once __ROOT__ . "php/utilities/general.php";
 
 try{
+    validate_session(); // The user must be logged in.
     
     switch ($_REQUEST['oper']) {
 	    case 'uf':
diff --git a/php/ctrl/TableManager.php b/php/ctrl/TableManager.php
index 72324ace..68ef8b22 100644
--- a/php/ctrl/TableManager.php
+++ b/php/ctrl/TableManager.php
@@ -37,10 +37,7 @@ function get_options()
       $options['filter'] .= ' and ';
     }
     
-    if (!isset($_SESSION)) {
-        session_start();
-    }
-    $uf_id = 1000 + (int)($_SESSION['userdata']['uf_id']);
+    $uf_id = 1000 + (int)(get_session_uf_id());
     $options['filter'] .= "aixada_account.account_id=$uf_id";
     // we do this here so that the user can't hijack other users' account data 
     //by mangling the request in the browser
@@ -117,7 +114,7 @@ function post_edit_hook($request)
 	$db = DBWrap::get_instance();
 	$row = $db->Execute("select current_price from aixada_price where product_id=:1", $request['id'])->fetch_array();
 	if ($row[0] != $request['unit_price']) {
-	    $db->Execute("insert into aixada_price (product_id, current_price, operator_id) values (:1, :2, :3);", $request['id'], $request['unit_price'], $_SESSION['userdata']['user_id']);
+	    $db->Execute("insert into aixada_price (product_id, current_price, operator_id) values (:1, :2, :3);", $request['id'], $request['unit_price'], get_session_user_id());
 	}
 	break;
     default:
@@ -129,7 +126,7 @@ function post_create_hook($index, $request)
 {
     switch ($request['table']) {
     case 'aixada_product': 
-	DBWrap::get_instance()->Execute("insert into aixada_price (product_id, current_price, operator_id) values (:1, :2, :3);", $index, $request['unit_price'], $_SESSION['userdata']['user_id']);
+	DBWrap::get_instance()->Execute("insert into aixada_price (product_id, current_price, operator_id) values (:1, :2, :3);", $index, $request['unit_price'], get_session_user_id());
 	break;
     default:
 	break;
@@ -140,6 +137,8 @@ function post_create_hook($index, $request)
 
 
 try{
+  validate_session(); // The user must be logged in.
+  
   $special_table = ($_REQUEST['table'] == "aixada_user");
 
   if (!isset($_REQUEST['oper']))
diff --git a/php/ctrl/UserAndUf.php b/php/ctrl/UserAndUf.php
index 504e3105..4fb1a69b 100644
--- a/php/ctrl/UserAndUf.php
+++ b/php/ctrl/UserAndUf.php
@@ -9,7 +9,7 @@
 require_once(__ROOT__ . "php/utilities/useruf.php");
 
 try{
-   
+  validate_session(); // The user must be logged in.
 
   switch ($_REQUEST['oper']) {
   	    
diff --git a/php/ctrl/Validate.php b/php/ctrl/Validate.php
index 89a13428..9864079d 100644
--- a/php/ctrl/Validate.php
+++ b/php/ctrl/Validate.php
@@ -13,7 +13,7 @@
 DBWrap::get_instance()->debug = true;
 
 try{
-
+  validate_session(); // The user must be logged in.
 	
   switch (get_param('oper')) {
 
diff --git a/php/inc/cookie.inc.php b/php/inc/cookie.inc.php
deleted file mode 100644
index f8c3edc6..00000000
--- a/php/inc/cookie.inc.php
+++ /dev/null
@@ -1,122 +0,0 @@
-<?php
-/** 
- * @package Aixada
- */ 
-
-require_once(__ROOT__ . 'php'.DS.'lib'.DS.'exceptions.php');
-require_once(__ROOT__ . 'php'.DS.'inc'.DS.'database.php');
-
-/**
- * The following class implements cookies, based on an
- * implementation from George Schlossnagle, Advanced PHP Programming, p.341
- *
- * @param int $user_id stores the unique user id
- * @param int $uf_id stores the associated uf identifier, or empty
- * @param int $member_id stores the associated member identifier, or empty
- * @param int $provider_id stores the associated provider identifier, or empty
- * @param array $roles stores the associated role identifiers
- * @param string $current_role stores the current role
- * @param string $language stores the current language
- *
- * @package Aixada
- * @subpackage Authentication
- */
-
-
-class Cookie {
-  // Aixada data
-  private $session; 
-
-  // when to reissue 
-  static $resettime = '3000';
-
-  public function __construct($logged_in=false, 
-                              $user_id=false, 
-                              $login = false, 
-                              $uf_id=false, 
-                              $member_id=false, 
-                              $provider_id=false, 
-                              $roles=false, 
-                              $current_role=false, 
-                              $language_keys=false, 
-                              $language_names=false, 
-                              $current_language_key=false, 
-                              $theme=false) {
-      if (!isset($_SESSION)) {
-          session_cache_expire(120);
-          session_start();
-      }
-      if ($logged_in) {
-		  $this->session = array(
-              'user_id' => $user_id,
-              'login' => $login,
-              'uf_id' => $uf_id, 
-              'member_id' => $member_id, 
-              'provider_id' => $provider_id,
-              'roles' => $roles,
-              'current_role' => $current_role,
-              'language_keys' => $language_keys,
-              'language_names' => $language_names,
-              'language' => $current_language_key,
-              'theme' => $theme
-          );
-          $this->save();
-      } else if (isset($_SESSION['userdata'])) {
-          $this->session = $_SESSION['userdata'];
-      }
-  }
-
-  /**
-   * This function packages, encrypts and sets the cookie. Moreover,
-   * it copies all relevant data into $_SESSION['userdata'] 
-   */
-  private function save() {
-      if (!isset($this->session)) {
-          throw new AuthException("Bad session");
-      }
-      $_SESSION['userdata'] = $this->session;
-      session_commit();
-  }
-
-  /**
-   * Is the cookie ok? If the cookie is older than $resettime, it is
-   * reset. If the data in $_SESSION['userdata'] doesn't exist, it is
-   * also set.
-   */
-  public function validate() {
-    if (isset($this->session)) {
-        return $this->session;
-    } else {
-        throw new AuthException("Not logged in");
-    }
-  }
-
-
-  /**
-   * Call this function to change the role of a user. The information
-   * is written to the cookie and to $_SESSION['userdata'].
-   */
-  public function change_role($new_role) {
-      if (!in_array($new_role, $this->session['roles'])) {
-          throw new AuthException("Not logged in role");
-      }
-      $this->session['current_role'] =  $new_role;
-      $this->save();
-  }
-
-  /**
-   * Call this function to change the role of a user. The information
-   * is written to the cookie and to $_SESSION['userdata'].
-   */
-  public function change_language($new_language_key) {
-      if (!in_array($new_language_key, $this->session['language_keys'])) {
-          throw new AuthException("Language is not valid");
-      }
-      $this->session['language'] = $new_language_key;
-      $this->save();
-  }
-
-  public function logout() {
-    session_destroy();
-  }
-}
diff --git a/php/inc/header.inc.base.php b/php/inc/header.inc.base.php
index 059aa614..f9397a49 100644
--- a/php/inc/header.inc.base.php
+++ b/php/inc/header.inc.base.php
@@ -5,8 +5,6 @@
 }
 
 require_once("header.inc.version.php"); // To obtain: $aixada_vesion_lastDate
-require_once(__ROOT__ . 'php'.DS.'inc'.DS.'cookie.inc.php');
-//require_once(__ROOT__ . 'php'.DS.'lib'.DS.'exceptions.php'); Is required by 'cookie.inc.php'
 require_once(__ROOT__ . 'local_config'.DS.'config.php');
 require_once(__ROOT__ . 'php'.DS.'utilities'.DS.'general.php');
 
@@ -31,7 +29,9 @@ function aixada_js_src($useMenus = true, $rootJs = '') {
     }
     $src .= "
         <script src=\"{$rootJs}js/aixadautilities/jquery.aixadaXML2HTML.js?v={$aixada_vesion_lastDate}\"></script>
-        <script src=\"{$rootJs}js/aixadautilities/jquery.aixadaUtilities.js?v={$aixada_vesion_lastDate}\"></script>";
+        <script src=\"{$rootJs}js/aixadautilities/jquery.aixadaUtilities.js?v={$aixada_vesion_lastDate}\"></script>
+        <script src=\"{$rootJs}js/aixadautilities/i18n/aixadaUtilities-" . get_session_language() . 
+            ".js?v={$aixada_vesion_lastDate}\"></script>";
     if (get_config('use_ajaxQueue')) {
         $src .= "
         <script src=\"{$rootJs}js/jquery-ajaxQueue/jQuery.ajaxQueue.js?v={$aixada_vesion_lastDate}\"></script>";
diff --git a/php/inc/header.inc.php b/php/inc/header.inc.php
index e7a53357..cbca3683 100644
--- a/php/inc/header.inc.php
+++ b/php/inc/header.inc.php
@@ -9,17 +9,9 @@
 $tpl_print_incidents = configuration_vars::get_instance()->print_incidents_template;
 
    try {
-       $cookie = new Cookie();
-       $cookie->validate();
-       if (!isset($_SESSION)) {
-           session_start();
-       }
-       if (isset($_SESSION['userdata']) 
-	   and isset($_SESSION['userdata']['current_role']) 
-	   and $_SESSION['userdata']['current_role'] !== false) {
 	   $fp = configuration_vars::get_instance()->forbidden_pages;
 	   $uri = $_SERVER['REQUEST_URI'];
-	   $role = $_SESSION['userdata']['current_role'];
+	   $role = get_current_role();
 	   $forbidden = false;
 	   foreach($fp[$role] as $page) {
 	       if (strpos($uri, $page) !== false) {
@@ -30,11 +22,8 @@
 	   if ($forbidden) {
 	       header("Location: index.php");
 	   }
-     }
-     
    }   
    catch (AuthException $e) {
-       //       var_dump($_COOKIE);
      echo("caught AuthException: $e");
      header("Location: login.php?originating_uri=".$_SERVER['REQUEST_URI']);
      exit;
diff --git a/php/inc/menu.inc.php b/php/inc/menu.inc.php
index ae4ed7c5..07ee9a0c 100644
--- a/php/inc/menu.inc.php
+++ b/php/inc/menu.inc.php
@@ -1,25 +1,22 @@
 <div id="logonStatus">
 	<p class="ui-widget">
 <?php 
-    if (!isset($_SESSION)) {
-        session_start();
-    }
-    if ($_SESSION['userdata']['login'] != '') {
+    if (is_created_session()) {
         // Help
         echo '<a href="docs/index_' . get_session_language() . '.php" target="_blank">' .
             $Text['nav_help'] . '</a> | ';	
         
         // Login name and uf_id
-        echo  $Text['nav_signedIn'] . " " . $_SESSION['userdata']['login'] . 
-            " | " . $Text['uf_long'] . ' ' . $_SESSION['userdata']['uf_id'] .
-            " | " . $_SESSION['userdata']['provider_id'];
+        echo  $Text['nav_signedIn'] . " " . get_session_value('login'). 
+            " | " . $Text['uf_long'] . ' ' . get_session_value('uf_id') .
+            " | " . get_session_value('provider_id');
         
         // Select rol
         echo '<select size="0" name="role_select" id="role_select">';
-        foreach ($_SESSION['userdata']['roles'] as $role) {
+        foreach (get_session_value('roles') as $role) {
             echo '<option';
             $rt = (isset($Text[$role]) ? $Text[$role] : "TRANSLATE[$role]");
-            if ($role == $_SESSION['userdata']['current_role']) {
+            if ($role == get_current_role()) {
                 echo ' selected';
             }
             echo ' value="' . $role. '">' . $rt . '</option>'; 
@@ -30,11 +27,11 @@
         $cfg_use_shop = get_config('use_shop', 'order_and_stock');
         if (get_config('show_menu_language_select', false)) {
             echo '<select size="0" name="lang_select" id="lang_select">';
-            $keys = $_SESSION['userdata']['language_keys'];
-            $names = $_SESSION['userdata']['language_names'];
+            $keys = get_session_value('language_keys');
+            $names = get_session_value('language_names');
             for ($i=0; $i < count($keys); $i++) {
                 echo '<option';
-                if ($keys[$i] == $_SESSION['userdata']['language']) {
+                if ($keys[$i] == get_session_value('language')) {
                     echo ' selected';
                 }
                 echo ' value="' . $keys[$i]. '">' . $names[$i] . '</option>'; 
@@ -78,7 +75,7 @@
 			<ul>
 			<li>
             <?php 
-            	if($_SESSION['userdata']['current_role'] == 'Hacker Commission') {
+            	if (get_current_role() == 'Hacker Commission') {
      				echo '<a href="activate_all_roles.php">';
  				} else {
      				echo '<a href="activate_roles.php">';
diff --git a/php/utilities/general.php b/php/utilities/general.php
index b484902c..7906de9d 100644
--- a/php/utilities/general.php
+++ b/php/utilities/general.php
@@ -4,117 +4,171 @@
 require_once(__ROOT__ . 'local_config'.DS.'config.php');
 
 /**
- * 
+ * Creates a Aixada session of the user.
+ */
+function create_session(
+        $user_id, 
+        $login, 
+        $uf_id, 
+        $member_id, 
+        $provider_id, 
+        $roles, 
+        $current_role, 
+        $language_keys, 
+        $language_names, 
+        $current_language_key, 
+        $theme
+    ) {
+    load_session();
+    $_SESSION['userdata'] = array(
+        'user_id' => $user_id,
+        'login' => $login,
+        'uf_id' => $uf_id, 
+        'member_id' => $member_id, 
+        'provider_id' => $provider_id,
+        'roles' => $roles,
+        'current_role' => $current_role,
+        'language_keys' => $language_keys,
+        'language_names' => $language_names,
+        'language' => $current_language_key,
+        'theme' => $theme
+    );
+    save_session();
+} 
+
+/**
+ * Load php session if is not yet loaded.
+ */
+function load_session() {
+    if (!isset($_SESSION)) {
+         session_start();
+    }
+}
+
+/**
+ * Determines if the Aixada session of the user exist, returns true/false
+ */
+function is_created_session() {
+    load_session();
+    return isset($_SESSION['userdata']);
+}
+
+/**
+ * Logout Aixada session destroying php session.
+ */
+function logout_session() {
+    load_session();
+    session_unset();
+    session_destroy();
+}
+
+/**
+ * Save Aixada session (only used in this general.php)
+ */
+function save_session() {
+    session_commit();
+}
+
+/**
+ * Validate the Aixada session, throw error if the user is not logged in.
+ */
+function validate_session() {
+    load_session();
+    if (!isset($_SESSION['userdata'])) {
+        throw new AuthException("Not logged in");
+    }
+}
+
+/**
+ * Returns a value of the Aixada session, throw error if is not logged in.
+ */
+function get_session_value($name) {
+    validate_session();
+    return $_SESSION['userdata'][$name];
+}
+
+/**
  * Returns the user_id of the logged user; wraps a check around this, in order to make sure
  * the value is set. 
  */
 function get_session_user_id() {
-	if (!isset($_SESSION)) {
-        session_start();
-    }
-	if (isset($_SESSION['userdata']['user_id']) && $_SESSION['userdata']['user_id'] > 0 ) {
-		return $_SESSION['userdata']['user_id'];
-	} else {
-		throw new Exception("Session data user_id is not set!! ");
-	}
+    return get_session_value('user_id');
 }
 
-
 /**
- * 
  * returns the uf of the logged user. 
  */
 function get_session_uf_id() {
-	if (!isset($_SESSION)) {
-        session_start();
-    }
-	if (isset($_SESSION['userdata']['uf_id']) && $_SESSION['userdata']['uf_id'] > 0 ) {
-		return $_SESSION['userdata']['uf_id'];
-	} else {
-		throw new Exception("Session data uf_id is not set!! ");
-	}
+    return get_session_value('uf_id');
 }
 
-
 /**
- * 
  * Returns the member_id of the logged user. 
  */
 function get_session_member_id() {
-	if (!isset($_SESSION)) {
-        session_start();
-    }
-	if (isset($_SESSION['userdata']['member_id']) && $_SESSION['userdata']['member_id'] > 0 ) {
-		return $_SESSION['userdata']['member_id'];
-	} else {
-		throw new Exception("Session data member_id is not set!! ");
-	}	
+    return get_session_value('member_id');
 }
 
 /**
- * 
  * Returns the login of the logged user. 
  */
 function get_session_login() {
-	if (!isset($_SESSION)) {
-        session_start();
-    }
-	if (isset($_SESSION['userdata']['login']) && $_SESSION['userdata']['login'] != "") {
-		return $_SESSION['userdata']['login'];
-	} else {
-		throw new Exception("Session data login is not set!! ");
-	}	
+    return get_session_value('login');
 }
 
-
 /**
- * 
  * returns the language for the logged user
  */
 function get_session_language() {
-    if (!isset($_SESSION)) {
-        session_start();
-    }
-    if (isset($_SESSION['userdata']['language']) and $_SESSION['userdata']['language'] != '') {
+    if (is_created_session()) {
         return $_SESSION['userdata']['language'];
     } else {
         return configuration_vars::get_instance()->default_language;
     }
 }
 
-
 /**
- * 
  * returns the theme for the logged user
  */
 function get_session_theme() {
-    if (!isset($_SESSION)) {
-        session_start();
-    }
-    if (isset($_SESSION['userdata']['theme']) and $_SESSION['userdata']['theme'] != '') {
+    if (is_created_session()) {
 		return $_SESSION['userdata']['theme'];
     } else {
 		return	configuration_vars::get_instance()->default_theme;
     }	 
 }
 
-
 /**
- * 
  * retrieves active role of the logged user
  */
 function get_current_role()
 {
-    if (!isset($_SESSION)) {
-        session_start();
-    }
-	 if (isset($_SESSION['userdata']['current_role']) and $_SESSION['userdata']['current_role'] != '') {
-		return $_SESSION['userdata']['current_role'];
-    } else {
-		return false; 
+    return get_session_value('current_role'); 
+}
+
+/**
+* Changes the role of a user. Information is written to $_SESSION['userdata'].
+*/
+function change_session_role($new_role) {
+    validate_session();
+    if (!in_array($new_role, $_SESSION['userdata']['roles'])) {
+        throw new AuthException("Not logged in role");
     }
+    $_SESSION['userdata']['current_role'] = $new_role;
+    save_session();
 }
 
+/**
+* Changes the language of a user. Information is written to $_SESSION['userdata'].
+*/
+function change_session_language($new_language_key) {
+    validate_session();
+    if (!in_array($new_language_key, $_SESSION['userdata']['language_keys'])) {
+        throw new AuthException("Language is not valid");
+    }
+    $_SESSION['userdata']['language'] = $new_language_key;
+    save_session();
+}
 
 /**
  * 

From c5ad642c2c1e3912db5b30bb87c9ed56930bc885 Mon Sep 17 00:00:00 2001
From: jorix <xavier.mamano@gmail.com>
Date: Mon, 10 Dec 2018 14:04:17 +0100
Subject: [PATCH 3/5] Go to *login.php* when not logged by controller

User can continue on a Aixada page tried to make requests, but in another tab the session is logged out. Therefore, all controllers are responding to requests with error "Not logged in".

It is proposed to show a message and go to `login.php`.
(new method `AixadaNotLoggedInMsg` in `jquery.aixadaUtilities.js` to display this message that is depending on the language)
---
 js/aixadacart/jquery.aixadacart.js               |  6 +++++-
 js/aixadautilities/i18n/aixadaUtilities-ca-va.js | 10 ++++++++++
 js/aixadautilities/i18n/aixadaUtilities-en.js    | 10 ++++++++++
 js/aixadautilities/i18n/aixadaUtilities-es.js    | 10 ++++++++++
 js/aixadautilities/jquery.aixadaUtilities.js     | 16 ++++++++++++++++
 js/aixadautilities/jquery.aixadaXML2HTML.js      | 11 +++++++++--
 php/inc/header.inc.version.php                   |  2 +-
 7 files changed, 61 insertions(+), 4 deletions(-)
 create mode 100644 js/aixadautilities/i18n/aixadaUtilities-ca-va.js
 create mode 100644 js/aixadautilities/i18n/aixadaUtilities-en.js
 create mode 100644 js/aixadautilities/i18n/aixadaUtilities-es.js

diff --git a/js/aixadacart/jquery.aixadacart.js b/js/aixadacart/jquery.aixadacart.js
index 64f2b652..ac23efb4 100644
--- a/js/aixadacart/jquery.aixadacart.js
+++ b/js/aixadacart/jquery.aixadacart.js
@@ -143,7 +143,11 @@
   									
   							    },
   							   error : function(XMLHttpRequest, textStatus, errorThrown){
-  							    	$this.data('aixadacart').submitError.call($this,XMLHttpRequest.responseText);
+                                    if (XMLHttpRequest.responseText === $.aixadaUtilities_lang.NOT_LOGGED_IN) {
+                                        $.AixadaNotLoggedInMsg();
+                                    } else {
+                                        $this.data('aixadacart').submitError.call($this,XMLHttpRequest.responseText);
+                                    }
   							    	//alert(errorThrown);
   							    	
   							    	//updateCartTips.call($this,'error',XMLHttpRequest.responseText);
diff --git a/js/aixadautilities/i18n/aixadaUtilities-ca-va.js b/js/aixadautilities/i18n/aixadaUtilities-ca-va.js
new file mode 100644
index 00000000..615ff47b
--- /dev/null
+++ b/js/aixadautilities/i18n/aixadaUtilities-ca-va.js
@@ -0,0 +1,10 @@
+(function($){
+	$.extend({
+		aixadaUtilities_lang : {
+            NOT_LOGGED_IN: "Not logged in",
+			btn_ok: "D'acord",
+            not_logged_in: "La sessió d'usuari no està iniciada",
+            must_identify: "Ha d'identificar-se!"
+		}
+	});
+})(jQuery);
diff --git a/js/aixadautilities/i18n/aixadaUtilities-en.js b/js/aixadautilities/i18n/aixadaUtilities-en.js
new file mode 100644
index 00000000..36ea7f86
--- /dev/null
+++ b/js/aixadautilities/i18n/aixadaUtilities-en.js
@@ -0,0 +1,10 @@
+(function($){
+	$.extend({
+		aixadaUtilities_lang: {
+            NOT_LOGGED_IN: "Not logged in",
+            btn_ok: "Ok",
+            not_logged_in: "User is not logged in",
+            must:identify: "You must identify!"
+		}
+	});
+})(jQuery);
diff --git a/js/aixadautilities/i18n/aixadaUtilities-es.js b/js/aixadautilities/i18n/aixadaUtilities-es.js
new file mode 100644
index 00000000..62ba27cf
--- /dev/null
+++ b/js/aixadautilities/i18n/aixadaUtilities-es.js
@@ -0,0 +1,10 @@
+(function($){
+	$.extend({
+		aixadaUtilities_lang: {
+            NOT_LOGGED_IN: "Not logged in",
+			btn_ok: "De acuerdo",
+            not_logget_in: "La sesión de usuario no está iniciada",
+            must_identify: "¡Debe identificarse!"
+		}
+	});
+})(jQuery);
diff --git a/js/aixadautilities/jquery.aixadaUtilities.js b/js/aixadautilities/jquery.aixadaUtilities.js
index b811f7a1..4ad49e53 100644
--- a/js/aixadautilities/jquery.aixadaUtilities.js
+++ b/js/aixadautilities/jquery.aixadaUtilities.js
@@ -323,6 +323,22 @@ $(function(){
 		closeMsg : function(){
 			$('#aixada_msg').dialog( "close" );
 			
+		},
+		AixadaNotLoggedInMsg: function() {
+		    var buttonClick = {};
+		    buttonClick[$.aixadaUtilities_lang.btn_ok] = function(){
+		        $(this).dialog("close");
+		        window.location.href = 'login.php';
+		    };
+		    $.showMsg({
+		        title: $.aixadaUtilities_lang.not_logged_in,
+		        msg:   $.aixadaUtilities_lang.must_identify,
+		        buttons: buttonClick,
+		        type: 'error'
+		    });
+		    $("#aixada_msg").on("dialogclose", function() {
+		        window.location.href = 'login.php';
+		    });
 		}
 	});
 	
diff --git a/js/aixadautilities/jquery.aixadaXML2HTML.js b/js/aixadautilities/jquery.aixadaXML2HTML.js
index d7fe4c00..ecef07a8 100644
--- a/js/aixadautilities/jquery.aixadaXML2HTML.js
+++ b/js/aixadautilities/jquery.aixadaXML2HTML.js
@@ -164,8 +164,15 @@
 									},//end success
 									
 									error : function(XMLHttpRequest, textStatus, errorThrown){
-	  							    	alert('An error "' + errorThrown + '", status "' + textStatus + '" occurred during loading data: ' + XMLHttpRequest.responseText);
-
+                                        if (XMLHttpRequest.responseText === $.aixadaUtilities_lang.NOT_LOGGED_IN) {
+                                            $.AixadaNotLoggedInMsg();
+                                        } else {
+                                            alert('An error "' + errorThrown + 
+                                                '", status "' + textStatus + 
+                                                '" occurred during loading data: ' +
+                                                XMLHttpRequest.responseText
+                                            );
+                                        }
 	  							    },
 	  							   complete : function(msg){
 	  							 	
diff --git a/php/inc/header.inc.version.php b/php/inc/header.inc.version.php
index bd0f54cf..a45b47e4 100644
--- a/php/inc/header.inc.version.php
+++ b/php/inc/header.inc.version.php
@@ -4,4 +4,4 @@
  * Do not edit it, but instead run
  * php make_canned_responses.php
  */
-$aixada_vesion_lastDate = '20170304_234636';
+$aixada_vesion_lastDate = '20181210_140125';

From 8695f00457baf692c1f89cc708978b86b8db8b36 Mon Sep 17 00:00:00 2001
From: jorix <xavier.mamano@gmail.com>
Date: Mon, 10 Dec 2018 19:37:05 +0100
Subject: [PATCH 4/5] Put some obstacles in order to be more secure.

It is proposed to logout the session when:
* After 30 days of inactivity
* If there are requests to the same session from a different IP (but the router restart also force it)
* If there are requests to the same session from a different browser (but the browser update also force it)

At logout it also regenerates the session id to try to deactivate the session hijack attack.
---
 php/ctrl/Login.php        |  6 ++++++
 php/utilities/general.php | 19 ++++++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/php/ctrl/Login.php b/php/ctrl/Login.php
index a8b0caf9..c5c7e5e5 100644
--- a/php/ctrl/Login.php
+++ b/php/ctrl/Login.php
@@ -50,6 +50,12 @@
 	               $current_role, 
 	               $current_language_key, 
 	               $theme) = $auth->check_credentials(get_param('login'), get_param('password'));
+              /* FIXME
+                    There a security issues here: 'login' and 'password' are posted unencrypted, and so is visible to everyone!
+                    Even encrypting the username/password is no solution, because anyone who intercepts the communication
+                    can just send the encrypted text without knowing what it decrypts to, but can log in anyways.
+                    The solution could be to implement an SSL protocol.
+              */
 	      	  
 	          $langs = existing_languages();
 	          create_session( 
diff --git a/php/utilities/general.php b/php/utilities/general.php
index 7906de9d..87f99c62 100644
--- a/php/utilities/general.php
+++ b/php/utilities/general.php
@@ -31,7 +31,11 @@ function create_session(
         'language_keys' => $language_keys,
         'language_names' => $language_names,
         'language' => $current_language_key,
-        'theme' => $theme
+        'theme' => $theme,
+        'cli_addr' => $_SERVER['REMOTE_ADDR'],
+        'cli_agent' => $_SERVER['HTTP_USER_AGENT'],
+        't_created' => time(),
+        't_saved' => time()
     );
     save_session();
 } 
@@ -58,6 +62,7 @@ function is_created_session() {
  */
 function logout_session() {
     load_session();
+    session_regenerate_id(true);
     session_unset();
     session_destroy();
 }
@@ -66,6 +71,7 @@ function logout_session() {
  * Save Aixada session (only used in this general.php)
  */
 function save_session() {
+    $_SESSION['userdata']['t_saved'] = time();
     session_commit();
 }
 
@@ -77,6 +83,17 @@ function validate_session() {
     if (!isset($_SESSION['userdata'])) {
         throw new AuthException("Not logged in");
     }
+    if ((time() - $_SESSION['userdata']['t_saved']) > 30 * 86400 || // More than 30 days inactive
+        $_SESSION['userdata']['cli_addr'] !== $_SERVER['REMOTE_ADDR'] || // Client IP address is changed
+        $_SESSION['userdata']['cli_agent'] !== $_SERVER['HTTP_USER_AGENT'] // Client browser is changed
+    ) {
+        logout_session();
+        throw new AuthException("Not logged in");
+    } 
+    if ((time() - $_SESSION['userdata']['t_saved']) > 15 * 60) { // > 15 min
+        save_session();
+        load_session();
+    }
 }
 
 /**

From 3fbacfd2f4791fbcd34d341cbe1b403cfb2c0b0d Mon Sep 17 00:00:00 2001
From: jorix <xavier.mamano@gmail.com>
Date: Fri, 21 Dec 2018 18:45:14 +0100
Subject: [PATCH 5/5] For compatibility the creation date of session is put as
 now.

This avoids closing all sessions when changing to this version.
---
 php/ctrl/InstallAixada.php | 15 +++++----------
 php/utilities/general.php  |  8 ++++++++
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/php/ctrl/InstallAixada.php b/php/ctrl/InstallAixada.php
index a2a976fb..2015b2f3 100644
--- a/php/ctrl/InstallAixada.php
+++ b/php/ctrl/InstallAixada.php
@@ -135,19 +135,14 @@ function CheckExistAndLogin() {
     $existAixada = get_row_query("SELECT table_name FROM information_schema.tables where table_schema=DATABASE() and table_name='aixada_uf'");
     if ($existAixada) {
         // Logged options
-        if (!isset($_SESSION)) {
-            session_start();
-        }
-        if (!isset($_SESSION['userdata']) || 
-            !isset($_SESSION['userdata']['roles']) || 
-            !isset($_SESSION['userdata']['login'])
-        ) {
+        if (!is_created_session()) {
             throw new Exception("Must identify as a user before starting an database update!
-            <br><a href=\"login.php?\">login</a>");
+            <br><a target=\"_blank\" href=\"login.php?\">login</a>");
         }
-        if (!in_array('Hacker Commission', $_SESSION['userdata']['roles'])) {
+        $roles = get_session_value('roles');
+        if (!in_array('Hacker Commission', $roles)) {
             throw new Exception("Only a user with role \"Hacker Commission\" can do an database update!
-            <br><a href=\"login.php?\">login</a>");
+            <br><a target=\"_blank\" href=\"login.php?\">login</a>");
         }
         // Is updatable?
         $isUpdatable = !!get_row_query(
diff --git a/php/utilities/general.php b/php/utilities/general.php
index 87f99c62..6f9be02c 100644
--- a/php/utilities/general.php
+++ b/php/utilities/general.php
@@ -83,6 +83,14 @@ function validate_session() {
     if (!isset($_SESSION['userdata'])) {
         throw new AuthException("Not logged in");
     }
+    // For compatibility with old versions the creation tate is forced if it does not exist.
+    if (!isset($_SESSION['userdata']['t_saved'])) {
+        $_SESSION['userdata']['t_saved'] = time();
+        $_SESSION['userdata']['cli_addr'] = $_SERVER['REMOTE_ADDR'];
+        $_SESSION['userdata']['cli_agent'] = $_SERVER['HTTP_USER_AGENT'];
+    }
+
+    // Check if the session is still valid.
     if ((time() - $_SESSION['userdata']['t_saved']) > 30 * 86400 || // More than 30 days inactive
         $_SESSION['userdata']['cli_addr'] !== $_SERVER['REMOTE_ADDR'] || // Client IP address is changed
         $_SESSION['userdata']['cli_agent'] !== $_SERVER['HTTP_USER_AGENT'] // Client browser is changed