Fi:x Restore a security system broken by adding alt feature.

htdocs/lib/security.lib.php

@@ -79,8 +79,13 @@ function dol_loginfunction($langs,$conf,$mysoc)
 	$conf->css = "/theme/".$conf->theme."/style.css.php?lang=".$langs->defaultlang;
 	$conf_css = DOL_URL_ROOT.$conf->css;
 
+    // Add real path in session name (we must do that to avoid conflict between two dolibarr instances)
+    $realpath='';
+    if ( preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:'';
+    if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name
+
 	// Set cookie for timeout management
-	$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+	$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
 	if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0);
 
 	if (GETPOST("urlfrom")) $_SESSION["urlfrom"]=GETPOST("urlfrom");
@@ -112,7 +117,7 @@ function dol_loginfunction($langs,$conf,$mysoc)
 
 		if (! empty($conf->global->MAIN_MULTICOMPANY_COOKIE))
 		{
-			$entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"]);
+			$entityCookieName = 'DOLENTITYID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
 			if (isset($_COOKIE[$entityCookieName]))
 			{
 				include_once(DOL_DOCUMENT_ROOT . "/core/class/cookie.class.php");