Fixed SSL/TLS incompatability in API Response. See #37
Fixed SSL/TLS incompatability in API Response. See #37

file:a/.gitignore -> file:b/.gitignore
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,5 @@
 testcreds
 testdata
 testdata/*
+update/
 

--- a/Install/index.php
+++ b/Install/index.php
@@ -478,6 +478,8 @@
   `Address` blob,
   `UName` blob,
   `Custom` blob,
+  `hidden` tinyint(1) DEFAULT 0,
+  `comment` blob DEFAULT NULL,
   PRIMARY KEY (`id`),
   KEY `idx_Cred_Group` (`Group`),
   KEY `idx_cred_cust` (`cust`)
@@ -561,9 +563,9 @@
   KEY `idx_failedips` (`FailedIP`)
 ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;',
 
-'CREATE TABLE CustPortal( `id` INT NOT NULL, `email` TEXT, `pass` TEXT, `active` TINYINT(1), PRIMARY KEY (`id`));',
-'CREATE UNIQUE INDEX idx_portal_logins ON CustPortal(`email`(100));',
-'CREATE INDEX ifdx_active_portal ON wewt_CustPortal(`active`);,'
+'CREATE TABLE #__CustPortal( `id` INT NOT NULL, `email` TEXT, `pass` TEXT, `active` TINYINT(1), PRIMARY KEY (`id`));',
+'CREATE UNIQUE INDEX idx_portal_logins ON #__CustPortal(`email`(100));',
+'CREATE INDEX idx_active_portal ON #__CustPortal(`active`);'
 
 );
 
@@ -604,6 +606,7 @@
 <input type="hidden" name="template" value="EstDeus">
 <input type="hidden" name="JSMinName" value=".min">
 <input type="hidden" name="forceSSL" value="false">
+<input type="hidden" name="forceTLS" value="true">
 
 <table>
 <tr>

--- a/Resources/info.php
+++ b/Resources/info.php
@@ -34,6 +34,22 @@
 
 // Load the framework
 require_once 'lib/Framework/main.php';
+
+
+if (isset($_COOKIE['PHPCredLockerKeySet']) && BTMain::getVar('destSession') == 'Y'){
+
+$expires = strtotime("-2 days");
+setcookie("PHPCredLockerKeySet", 1, $expires, dirname($_SERVER["REQUEST_URI"]), $_SERVER['HTTP_HOST'], BTMain::getConf()->forceSSL);
+BTMain::unsetSessVar('tls');
+BTMain::unsetSessVar('KeyExpiry');
+BTMain::unsetSessVar('apiterms');
+
+$_COOKIE['PHPCredLockerKeySet'] = 0;
+
+}
+
+
+
 
 $tls = BTMain::getSessVar('tls');
 $expiry = BTMain::getSessVar('KeyExpiry');
@@ -168,7 +184,7 @@
 
 ob_start();
 ?> 
-function getKey(){ return '<?php echo base64_encode(BTMain::getSessVar('tls'));?>'; }
+function getTLSKey(){ return '<?php echo base64_encode(BTMain::getSessVar('tls'));?>'; }
 
 
 function getDelimiter(){ return "|..|";}
@@ -179,7 +195,7 @@
 if (a == 'undefined' || a == 'null' || a == ''){
 return;}
 
-<?php foreach ($terms as $key=>$value){ echo "this.$value='".base64_encode($key) ."';"; }?>
+
 
 return this[a];
  }
@@ -199,16 +215,25 @@
 return window.destroyKeys = '';
 }
 
-function enabledEncryption(){
+function enabledTLSEncryption(){
 return <?php echo $enabled;?>;
 }
 
-
-
-
-
-
-
+function setStorage(){
+  if(typeof(Storage)!=="undefined"){
+	sessionStorage.setItem('key', getTLSKey());
+	sessionStorage.setItem('Terminology','{<?php foreach ($terms as $key=>$value){ echo "\"$value\":\"".base64_encode($key) ."\","; }?>"null":"null"}');
+	sessionStorage.setItem('CryptEnabled',enabledTLSEncryption());
+	sessionStorage.setItem('Delimiter',getDelimiter());
+    }else{
+    alert("You're using an out of date browser, this has a serious impact on security. Please use at least IE8, Firefox, Chrome or Safari");
+    }
+}
+
+
+
+
+setStorage();
 new getTerminology();
 <?php
 

--- a/Resources/main.js
+++ b/Resources/main.js
@@ -12,7 +12,7 @@
 */
 
 
-var counter=false, cancel='', dispcred, interval;
+var counter=false, cancel='', dispcred, interval,terms;
 
 
 
@@ -96,8 +96,12 @@
   if (count <= 0 || cancel == 1)
   {
      clearInterval(counter);
+     if (document.getElementById('credHidden'+id)){
+     field.innerHTML = 'Display<span class="DisPwdText"> Username</span>';  
+     }else{
+     field.innerHTML = 'Display<span class="DisPwdText"> Password</span>';  
+     }
      
-     field.innerHTML = 'Display<span class="DisPwdText"> Password</span>';
      document.getElementById('Address'+id).innerHTML = '';
      document.getElementById('UserName'+id).innerHTML = '';
      document.getElementById('Password'+id).innerHTML = '';
@@ -106,7 +110,7 @@
      return;
   }
 
-  field.innerHTML = 'Displaying Password for ' +count+ ' seconds';
+  field.innerHTML = 'Displaying for ' +count+ ' seconds';
 }
 
 
@@ -220,7 +224,8 @@
   var cred = document.getElementById('frmCredential'),
       user = document.getElementById('frmUser'),
       addr = document.getElementById('frmAddress'),
-      grp = document.getElementById('frmGroup');
+      grp = document.getElementById('frmGroup'),
+      comment = document.getElementById('frmComment');
       
       
       
@@ -244,6 +249,7 @@
  cred.value = Base64.encode(xorestr(cred.value,retKey()));
  user.value = Base64.encode(xorestr(user.value,retKey()));
  addr.value = Base64.encode(xorestr(addr.value,retKey()));
+ comment.value = Base64.encode(xorestr(comment.value,retKey()));
 }
 return true;
 
@@ -258,7 +264,8 @@
   var cred = document.getElementById('frmCredential'),
       user = document.getElementById('frmUser'),
       addr = document.getElementById('frmAddress'),
-      grp = document.getElementById('frmGroup');
+      grp = document.getElementById('frmGroup'),
+      comment = document.getElementById('frmComment');
       
       
       
@@ -285,6 +292,9 @@
 if (cred.value == null || cred.value == ''){
  cred.value = ' '; 
 }
+if (comment.value == null || comment.value == ''){
+ comment.value = ' '; 
+}
 
 if (user.value == null || user.value == ''){
  user.value = ' '; 
@@ -293,6 +303,7 @@
 if (addr.value == null || addr.value == ''){
  addr.value = ' '; 
 }
+
 
 if (enabledEncryption()){ 
  
@@ -300,6 +311,7 @@
  cred.value = Base64.encode(xorestr(cred.value,retKey()));
  user.value = Base64.encode(xorestr(user.value,retKey()));
  addr.value = Base64.encode(xorestr(addr.value,retKey()));
+ comment.value = Base64.encode(xorestr(comment.value,retKey()));
 }
 
 return true;
@@ -919,6 +931,18 @@
  * as it means a longer request.
  * 
  */
+
+
+function inlineDeCrypt(){
+ var i, eles = document.getElementsByClassName('inlineTLS');
+ 
+ for (i=0;i < eles.length;i++){
+   eles[i].innerHTML = decryptAPIResp(eles[i].innerHTML,retKey());   
+ }  
+  
+}
+
+
 function xorestr(str,key){
     if (!enabledEncryption()){ return str; }
     
@@ -1066,11 +1090,24 @@
 
 
 function getDivider(){
+  
+    if(typeof(Storage)!=="undefined" && sessionStorage.Delimiter){
+	return sessionStorage.getItem('Delimiter');
+  }
+  
  return getDelimiter(); 
 }
 
 
 function getTerms(a){
+  
+  if(typeof(Storage)!=="undefined"){
+	if (!terms){
+      terms = JSON.parse(sessionStorage.getItem('Terminology'))
+	}
+      return Base64.decode(terms[a.toString()]);
+  }
+  
   return Base64.decode(getTerminology(a));
 }
 
@@ -1119,7 +1156,7 @@
 function checkKeyAvailable(){
  
   
- if(typeof getKey != 'function') {
+ if(!getKey && typeof getTLSKey != 'function') {
    
    if (confirm("Key retrieval failed - Attempting to rectify, Click OK to continue - Screen may refresh")){
    
@@ -1132,7 +1169,7 @@
    
    removeCurrKey();
    
-    if(typeof getKey == 'function') {
+    if(typeof getTLSKey == 'function') {
       alert("Keys retrieved successfully");
       return true;
       
@@ -1149,7 +1186,32 @@
   
 }
 
-
+function getKey(){ 
+  
+ if(typeof(Storage)!=="undefined" && sessionStorage.key){
+    return sessionStorage.getItem('key');
+  }else{
+    if(typeof getTLSKey != 'function'){
+     return false; 
+    }
+   return getTLSKey(); 
+  }
+    
+}
+
+function enabledEncryption(){
+  
+   if(typeof(Storage)!=="undefined" && sessionStorage.CryptEnabled){
+    return sessionStorage.getItem('CryptEnabled');
+  }else{
+    if(typeof enabledTLSEncryption != 'function'){
+     return false; 
+    }
+   return enabledTLSEncryption(); 
+  }
+  
+
+}
 
 
 

--- a/conf/lang.php
+++ b/conf/lang.php
@@ -21,3 +21,4 @@
 $lang['User'] = 'User';
 $lang['User Groups'] = 'User Groups';
 $lang['UserGroup'] = 'Group';
+$lang['Comment'] = 'Comment';

--- a/lib/API.php
+++ b/lib/API.php
@@ -54,7 +54,7 @@
 
 
 
-	if (!BTMain::getConnTypeSSL()){
+	if (!BTMain::getConnTypeSSL() || BTMain::getConf()->forceTLS){
 	    $tlskey = BTMain::getsessVar('tls');
 	    $option = base64_decode($crypt->xordstring(base64_decode($option),$tlskey));
 	 }
@@ -82,7 +82,13 @@
     $key = 'Cre'.$cred->CredType;
 
     // Build the response
+
+    if ((BTMain::getUser()->PortalLogin != 1) || ($cred->hidden !=1)){
     $pass = htmlspecialchars($crypt->decrypt($cred->Hash,$key));
+    }else{
+    $pass = "<span style='font-size: x-small'>You are not authorised to view this password</span>";
+    }
+
     $address = htmlspecialchars($crypt->decrypt($cred->Address,$key));
     $uname = htmlspecialchars($crypt->decrypt($cred->UName,$key));
 
@@ -201,7 +207,7 @@
 
 $op = $padding.$opDivider.ob_get_clean().$opDivider.$endpadding;
 
-if (!BTMain::getConnTypeSSL()){
+if (!BTMain::getConnTypeSSL() || BTMain::getConf()->forceTLS){
 $op = base64_encode($crypt->xorestring(base64_encode($op),$tlskey));
 }
 

--- a/lib/Framework/main.php
+++ b/lib/Framework/main.php
@@ -151,10 +151,18 @@
 function buildACLQuery($tbl = false){
 $groups = BTMain::getUser()->groups;
 $tab ='';
-
 if ($tbl){
 $tab = "$tbl.";
 }
+
+
+if (BTMain::getUser()->PortalLogin == '1'){
+return "$tab.cust = '".BTMain::getUser()->PortalID."' ";
+
+}
+
+
+
 
 if (!in_array("-1",$groups)){
 return "$tab`Group`=" . implode(" OR $tab`Group`=",$groups) ;

--- a/lib/Handler.php
+++ b/lib/Handler.php
@@ -22,6 +22,9 @@
 $option = BTMain::getVar('option');
 $auth = new ProgAuth;
 
+$custportalmethods = array("logout","editCred");
+
+
     // See if the user has an active session
     if (BTMain::getsessVar('Session')){
     
@@ -37,7 +40,7 @@
     $key = BTMain::getSessVar('AuthKey');
     $pass = BTMain::getVar('FrmPass');
     
-    if (!BTMain::getConnTypeSSL()){
+    if (!BTMain::getConnTypeSSL() || BTMain::getConf()->forceTLS){
     $pass =& $crypt->xordstring(base64_decode($pass),$key);
     }
 
@@ -71,7 +74,10 @@
 
 
 
-
+if ((BTMain::getUser()->PortalLogin == 1) && (!in_array($option,$custportalmethods))){
+$option = 'viewCust';
+BTMain::setVar('id',BTMain::getUser()->PortalID);
+}
 
 
 switch ($option){

--- a/lib/auth.class.php
+++ b/lib/auth.class.php
@@ -40,6 +40,24 @@
 
 return md5($salt.date('y-m-dHis'));
 
+}
+
+
+/** bcrypt the pass
+*
+* Ta to Jon Hulka on stackoverflow for this function!
+*
+*/
+function blowfishCrypt($password,$cost)
+{
+    $chars='./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    $salt=sprintf('$2a$%02d$',$cost);
+//For PHP >= PHP 5.3.7 use this instead (as per martinstoeckli's suggestion)
+//    $salt=sprintf('$2y$%02d$',$cost);
+    //Create a 22 character salt -edit- 2013.01.15 - replaced rand with mt_rand
+    mt_srand();
+    for($i=0;$i<22;$i++) $salt.=$chars[mt_rand(0,63)];
+    return crypt($password,$salt);
 }
 
 
@@ -109,8 +127,8 @@
 	// We need to create a salt for the password
 	$user->salt = $this->createSalt();
 
-	// Salt the password
-	$user->pass = md5($pass.$user->salt);
+	// Salt the password - why the hell was I using MD5 here?? I don't remember doing that - embarassing
+	$user->pass = $this->blowfishCrypt($pass.$user->salt,12);
 
 	// Get the plaintext password out of memory
 	unset($pass);
@@ -145,7 +163,7 @@
 $user->salt = $this->createSalt();
 
 // Salt the password
-$user->pass = md5($plaintextPass.$user->salt);
+$user->pass = $this->blowfishCrypt($plaintextPass.$user->salt,12);
 $user->RealName = $RealName;
 $user->groups = $groups;
 $user->username = $username;
@@ -233,12 +251,20 @@
 // Get the valid hash out of memory as we have it in an array anyway
 unset($user->pass);
 
-    if( md5($password.$pass[1]) != $pass[0]){
-      return $this->logFailedAttempt($username,$db);
+
+    if (crypt($password.$pass[1],$pass[0]) != $pass[0]){
+	// Check for a match on the old schema, there's only a risk of hash collision if the stored password is MD5
+	if (md5($password.$pass[1]) == $pass[0]){
+	  // We need to update the stored hash to use the new schema. Still don't remember going with MD5. Should know better!
+	  $db->updPass($username,$this->blowfishCrypt($password.$pass[1],12),$pass[1]);
+	}else{
+	  return $this->logFailedAttempt($username,$db);
+	}
+
       }
 
 // Create a Session ID
-    $sessID = md5(date('YmdHis') . mt_rand(10,80000) . mt_rand(11,500) . $username . mt_rand(0,90000));
+    $sessID = sha1(date('YmdHis') . mt_rand(10,80000) . mt_rand(11,500) . $username . mt_rand(0,90000));
 
 // Get the hashes out of memory
     unset($password);
@@ -321,6 +347,7 @@
 }
 
 
+
 /** Invalid Login
 *
 */

--- a/lib/crypto.php
+++ b/lib/crypto.php
@@ -81,6 +81,11 @@
     return $en;
 }
 
+
+
+function inlineEncrypt($string){
+return "<div class='inlineTLS'>".base64_encode($this->xorestring(base64_encode($string),$tlskey = BTMain::getsessVar('tls')))."</div>";
+}
 
 
 /** Xor the provided string to encrypt it
@@ -175,7 +180,7 @@
 */
 function genXorPadding(){
 
-if (BTMain::getConnTypeSSL()){
+if (BTMain::getConnTypeSSL() && !BTMain::getConf()->forceTLS){
 return "a";
 }
 

--- a/lib/customer.class.php
+++ b/lib/customer.class.php
@@ -33,7 +33,8 @@
 // We add the customer to the portal, even if we won't let them log-in (i.e. the portal is disabled)
 $password = $auth->generatePassword();
 $salt = $auth->createSalt();
-$pass = md5($password.$salt);
+$pass = ProgAuth::blowfishCrypt($password.$salt,12);
+
 
 
 if ($db->addCusttoPortal($id,$email,$pass.":".$salt,1)) {
@@ -67,20 +68,42 @@
 function edit($id,$name,$group,$firstname,$surname,$email){
 
 $db = new CustDB;
+$auth = new ProgAuth;
 
 if (!$db->editCustomer($id,$name,$group,$firstname,$surname,$email)){
 return false;
 }
 
 $db = new AuthDB;
-if ($db->editPortalCustDetails($id,$email)){
-  return true;
-  }else{
-  global $notifications;
-  $notifications->setNotification('CustPortalFail');
+// We add the customer to the portal, even if we won't let them log-in (i.e. the portal is disabled)
+$password = $auth->generatePassword();
+$salt = $auth->createSalt();
+$pass = ProgAuth::blowfishCrypt($password.$salt,12);
 
-  }
 
+ global $notifications;
+
+if ($db->addCusttoPortal($id,$email,$pass.":".$salt,1)){
+ 
+
+
+   
+
+    $not->className = 'alert alert-success';
+    $not->text = "The customer has been successfully added to the customer portal and can use the password <i>$password</i> to manage their credentials";
+    // This echo is a temporary thing until I update Notifications
+    echo "<div class='{$not->className}'>{$not->text}</div>";
+   // $notifications->setNotification($not);
+    
+
+}else{
+    echo "<div class='alert alert-error'>Unable to update Customer Portal details</div>";
+}
+
+  
+
+  
+return true;
 
 
 

--- a/lib/db/Credentials.php
+++ b/lib/db/Credentials.php
@@ -60,7 +60,7 @@
 
 $id = $this->stringEscape($id);
 
-$sql = "SELECT Hash, Clicky, Address, UName, CredType, `Group` FROM #__Cred WHERE id='$id' AND ($ACL)";
+$sql = "SELECT Hash, Clicky, Address, UName, CredType, `hidden`, `Group` FROM #__Cred WHERE id='$id' AND ($ACL)";
 $this->setQuery($sql);
 
 
@@ -211,7 +211,7 @@
 *
 * @return object
 */
-function addCred($cust,$credtype,$cred,$clicky,$group = 1,$address = '', $uname = '')
+function addCred($cust,$credtype,$cred,$comment,$clicky,$group = 1,$address = '', $uname = '',$hidden = 0)
 {
 
 
@@ -229,20 +229,26 @@
 
 if (!empty($cred)){
 $cred = $crypt->encrypt($cred,'Cre'.$credtype);
+}
+
+if (!empty($comment)){
+$comment = $crypt->encrypt($cred,'Cre'.$comment);
 }
 
 $address = $this->stringEscape($address);
 $uname = $this->stringEscape($uname);
 $credtype = $this->stringEscape($credtype);
 $cred = $this->stringEscape($cred);
+$comment = $this->stringEscape($comment);
 $cust = $this->stringEscape($cust);
 $clicky = $this->stringEscape($clicky);
 $date = date('Y-m-d H:i:s');
 $group = $this->stringEscape($group);
-
-
-$sql = "INSERT INTO #__Cred (`cust`,`Added`,`Group`,`Hash`,`CredType`,`Clicky`,`Address`,`UName`) ".
-"VALUES ('$cust','$date','$group','$cred','$credtype','$clicky','$address','$uname')";
+$hidden = $this->stringEscape($hidden);
+
+
+$sql = "INSERT INTO #__Cred (`cust`,`Added`,`Group`,`Hash`,`CredType`,`Clicky`,`Address`,`UName`,`hidden`,`comment`) ".
+"VALUES ('$cust','$date','$group','$cred','$credtype','$clicky','$address','$uname','$hidden','$comment')";
 $this->setQuery($sql);
 
 $id = $this->insertID();
@@ -272,7 +278,7 @@
 *
 * @return object
 */
-function editCred($id,$credtype,$cred,$clicky,$group = 1,$address = '', $uname = '')
+function editCred($id,$credtype,$cred,$comment, $clicky,$group = 1,$address = '', $uname = '', $hidden = 0)
 {
 
 
@@ -280,6 +286,7 @@
 $crypt = new Crypto;
 $ACL = BTMain::buildACLQuery();
 $credtype = $this->stringEscape($credtype);
+$hidden = $this->stringEscape($hidden);
 $id = $this->stringEscape($id);
 $date = date('Y-m-d H:i:s');
 $group = $this->stringEscape($group);
@@ -287,7 +294,7 @@
 
 // build the SQL
 
-$sql = "UPDATE #__Cred SET `Added`='$date', `Group`='$group',";
+$sql = "UPDATE #__Cred SET `Added`='$date', `Group`='$group', hidden='$hidden',";
 
 if ($cred){
 $cred = $crypt->encrypt($cred,'Cre'.$credtype);
@@ -312,6 +319,14 @@
 $uname = $this->stringEscape($uname);
 $sql .= "`UName`='$uname',";
 }
+
+if ($comment){
+$comment = $crypt->encrypt($comment,'Cre'.$credtype);
+$comment = $this->stringEscape($comment);
+$sql .= "`comment`='$comment',";
+
+}
+
 
 // Get rid of the last comma to prevent a syntax error
 $sql = rtrim($sql,",");

--- a/lib/db/Customer.php
+++ b/lib/db/Customer.php
@@ -171,7 +171,7 @@
 
 $ACL = BTMain::buildACLQuery();
 
-$sql = "SELECT a.CredType, a.id, b.Name as CredName, c.Name FROM #__Cred as a LEFT JOIN #__CredTypes as b on a.CredType = b.id LEFT JOIN #__Cust as c ON a.cust = c.id ".
+$sql = "SELECT a.CredType, a.id, a.comment, a.hidden, b.Name as CredName, c.Name FROM #__Cred as a LEFT JOIN #__CredTypes as b on a.CredType = b.id LEFT JOIN #__Cust as c ON a.cust = c.id ".
 "WHERE a.cust='$id' AND (" . str_replace("`Group`","a.`Group`",$ACL) . ") AND (" . str_replace("`Group`","c.`Group`",$ACL) . ")";
 $this->setQuery($sql);
 return $this->loadResults();

--- a/lib/db/authdb.class.php
+++ b/lib/db/authdb.class.php
@@ -49,28 +49,14 @@
 
 
 
-$sql = "INSERT INTO #__CustPortal VALUES('$id','$email','$pass','$active')";
+$sql = "INSERT INTO #__CustPortal VALUES('$id','$email','$pass','$active') ON DUPLICATE KEY UPDATE `email`='$email'";
 $this->setQuery($sql);
 return $this->runQuery();
 
 }
 
 
-/** Edit the Portal login details for the specified customer - Passwords done seperately
-*
-* @arg id - Customer ID
-* @arg email - Customers login email address
-*
-*/
-function editPortalCustDetails($id,$email){
-$crypt = new Crypto;
-$id = $this->stringEscape($id);
-$email = $this->stringEscape($crypt->encrypt($email,'auth'));
-
-$sql = "UPDATE #__CustPortal SET `email`='$email' WHERE `id`='$id'";
-$this->setQuery($sql);
-return $this->runQuery();
-}
+
 
 
 /** See if a Customer Portal record exists, and return it if it does
@@ -227,6 +213,25 @@
 
 return $this->runQuery();
 }
+
+
+
+/** Update a user's password hash in the database
+*
+*/
+function updPass($user,$hash,$salt){
+  $crypt = new Crypto;
+  $user = $this->stringEscape($user);
+  $hash = $this->stringEscape($crypt->encrypt($hash.":".$salt,'auth'));
+
+  $sql = "UPDATE #__Users SET `pass`='$hash' WHERE `username`='$user'";
+  
+  $this->setQuery($sql);
+  $result = $this->runQuery();
+
+}
+
+
 
 
 /** Edit user

--- a/lib/includes/groupSelection.php
+++ b/lib/includes/groupSelection.php
@@ -26,7 +26,20 @@
 
 $groups = $auth->retrieveGroupNames();
 
-if ($multiselect != 1):
+if (BTMain::getUser()->PortalLogin == 1):?>
+
+
+<select name="frmGroup" id="frmGroup" style="display: none;">
+<option value="<?php if (isset($preselect)){ echo $preselect; } else{ echo 0;}?>">nochange</option>
+</select>
+
+</select>
+
+
+<?php else: ?>
+
+
+<?php if ($multiselect != 1):
 ?> 
 <label for="frmGroup">Group</label><select name="frmGroup" id="frmGroup">
 <option value='null'> -- Select Group --</option>
@@ -77,3 +90,5 @@
 ?>
 </fieldset>
 <?php endif;?>
+
+<?php endif; ?>

--- a/lib/output.php
+++ b/lib/output.php
@@ -147,10 +147,10 @@
 
 $coreres->js->jquery->fname = 'jquery';
 $coreres->js->jquery->forcemin = '.min';
+$coreres->js->jquerytooltip->fname = 'jquery.tooltip';
+$coreres->js->jquerytooltip->forcemin = '.min';
 $coreres->js->bootstrap->fname = 'bootstrap';
 $coreres->js->bootstrap->path = 'bootstrap/js/';
-$coreres->js->jquerytooltip->fname = 'jquery.tooltip';
-$coreres->js->jquerytooltip->forcemin = '.min';
 $coreres->js->main->fname = 'main';
 $coreres->js->base64->fname = 'base64';
 
@@ -222,8 +222,8 @@
 	    <link rel="stylesheet" type="text/css" href='<?php echo $coreres->resources->resourcespath; ?>/<?php echo $css;?>.css'/>
     <?php endforeach;?>
 
-
-      <script id='kFile' src="Resources/info.php?<?php echo md5(session_id().$_SERVER['REMOTE_ADDR']); ?>" type="text/javascript"></script>
+      <style type="text/css">.inlineTLS {display: inline;}</style>
+      <script id='kFile' src="Resources/info.php?<?php $frs = BTMain::getSessVar('cacheFrustrate'); echo md5(session_id().$_SERVER['REMOTE_ADDR']).$frs; ?><?php $notif=BTMain::getVar('notif'); if (!empty($notif) && ($notif == 'LoginFailed' || $notif == 'LoggedOut' || $notif == 'InvalidSession')){ echo "&destSession=Y"; BTMain::setSessVar('cacheFrustrate',mt_rand());}?>" type="text/javascript"></script>
 
 
       <?php
@@ -266,7 +266,7 @@
 
 <!-- Fire the default scripts when the browser reports document ready -->
     <script type="text/javascript">
-    var sesscheck; jQuery(document).ready(function() {  checkKeyAvailable(); <?php if (BTMain::getUser()->name):?>sesscheck = setInterval("checkSession()",120000);<?php endif;?>});
+    var sesscheck; jQuery(document).ready(function() {  checkKeyAvailable(); inlineDeCrypt();<?php if (BTMain::getUser()->name):?>sesscheck = setInterval("checkSession()",120000);<?php endif;?>});
     </script>
 
 <?php

--- a/modules/login-navbar/login-navbar.php
+++ b/modules/login-navbar/login-navbar.php
@@ -22,7 +22,7 @@
 
 	<ul class="dropdown-menu" role="menu" id='CurUserMenu' aria-Labelled-by='dLabel'>
 	  <li><a href="index.php?option=logout">Log Out</a></li>
-	  <li><a href="index.php?option=changePassword">Change Password</a></li>
+	 <?php if (BTMain::getUser()->PortalLogin != 1):?> <li><a href="index.php?option=changePassword">Change Password</a></li><?php endif; ?>
 	</ul>
 
 

--- a/views/Creds/add.php
+++ b/views/Creds/add.php
@@ -20,17 +20,20 @@
   $cred = BTMain::getVar('frmCredential');
   $addr = BTMain::getVar('frmAddress');
   $user = BTMain::getVar('frmUser');
+  $hidden = BTMain::getVar('frmHidden');
+  $comment = BTMain::getVar('frmComment');
   
-  if (!BTMain::getConnTypeSSL()){
+  if (!BTMain::getConnTypeSSL() || BTMain::getConf()->forceTLS){
 	    $crypt = new Crypto;
 	    $tlskey = BTMain::getsessVar('tls');
 	    $cred = $crypt->xordstring(base64_decode($cred),$tlskey);
 	    $addr = $crypt->xordstring(base64_decode($addr),$tlskey);
 	    $user = $crypt->xordstring(base64_decode($user),$tlskey);
+	    $comment = $crypt->xordstring(base64_decode($comment),$tlskey);
 	 }
 
 
-  $newcred = $creds->addCred(BTMain::getVar('cust'),BTMain::getVar('FrmCredType'),$cred,BTMain::getVar('frmClicky'),BTMain::getVar('frmGroup'),$addr,$user);
+  $newcred = $creds->addCred(BTMain::getVar('cust'),BTMain::getVar('FrmCredType'),$cred,$comment,BTMain::getVar('frmClicky'),BTMain::getVar('frmGroup'),$addr,$user,$hidden);
   // Add the cred to the db
   if ($newcred){
   // Success
@@ -121,10 +124,12 @@
 <label for="frmCredential"><?php echo Lang::_("Password");?></label><textarea id="frmCredential" name="frmCredential"></textarea>
 <a href="javascript: genPwd('frmCredential',10);">Generate Password</a>
 
+<label for="frmComment"><?php echo Lang::_("Comment");?></label><input type="text" name="frmComment" id="frmComment">
+
 <label for="frmAddress"><?php echo Lang::_("Address");?></label><input type="text" name="frmAddress" id="frmAddress">
 
 
-
+<label for="frmCredentialHidden">Hide from Customer</label><input type="checkbox" name="frmHidden" id="frmHidden" value="1">
 <?php include 'lib/includes/groupSelection.php'; ?>
 
 

--- a/views/Creds/edit.php
+++ b/views/Creds/edit.php
@@ -30,13 +30,21 @@
 $address = BTMain::getVar('frmAddress');
 $uname = BTMain::getVar('frmUser');
 $group = BTMain::getVar('frmGroup');
+$comment = BTMain::getVar('frmComment');
+
+if (BTMain::getUser()->PortalLogin != 1){
+$hidden = BTMain::getVar('frmHidden');
+}else{
+$hidden = 0;
+}
   
-  if (!BTMain::getConnTypeSSL()){
+  if (!BTMain::getConnTypeSSL() || BTMain::getConf()->forceTLS){
 	    $crypt = new Crypto;
 	    $tlskey = BTMain::getsessVar('tls');
 	    $cred = $crypt->xordstring(base64_decode($cred),$tlskey);
 	    $address = $crypt->xordstring(base64_decode($address),$tlskey);
 	    $uname = $crypt->xordstring(base64_decode($uname),$tlskey);
+	    $comment = $crypt->xordstring(base64_decode($comment),$tlskey);
 	 }
 
 
@@ -48,10 +56,11 @@
 if ($group == "NOCHANGE"){ $group = false; }
 if ($address == "NOCHANGE"){ $address = false; }
 if ($uname == "NOCHANGE"){ $uname = false; }
+if ($comment == 'NOCHANGE'){ $comment = false; }
 
 
   // Add the cred to the db
-  if ($creds->editCred($id,$credtype,$cred,$clicky,$group,$address,$uname)){
+  if ($creds->editCred($id,$credtype,$cred,$comment, $clicky,$group,$address,$uname,$hidden)){
   // Success
   $notifications->setNotification("addCredSuccess");
       $data->cred->id = $id;
@@ -119,14 +128,14 @@
 
 <label for='FrmCredType'><?php echo Lang::_("Credential Type");?></label><select id="FrmCredType" name="FrmCredType" readonly='readonly'>
 <?php 
-foreach ($credtypes as $cred){
+foreach ($credtypes as $credt){
 
 ?>
-<option value="<?php echo $cred->id;?>" 
-<?php if ($credtype == $cred->id):?>
+<option value="<?php echo $credt->id;?>" 
+<?php if ($credtype == $credt->id):?>
 selected
 <?php endif; ?>
-><?php echo htmlspecialchars($crypt->decrypt($cred->Name,'CredType'));?></option>
+><?php echo htmlspecialchars($crypt->decrypt($credt->Name,'CredType'));?></option>
 <?php
 
 }
@@ -138,7 +147,14 @@
 
 <label for="frmCredential"><?php echo Lang::_("Password");?></label><textarea id="frmCredential" name="frmCredential">NOCHANGE</textarea>
 <a href="javascript: genPwd('frmCredential',10);">Generate Password</a>
+
+<label for="frmComment"><?php echo Lang::_("Comment");?></label><input type="text" name="frmComment" id="frmComment" value="NOCHANGE">
+
 <label for="frmAddress"><?php echo Lang::_("Address");?></label><input type="text" name="frmAddress" id="frmAddress" value="NOCHANGE">
+
+<?php if (BTMain::getUser()->PortalLogin != 1): ?>
+<label for="frmCredentialHidden">Hide from Customer</label><input type="checkbox" name="frmHidden" id="frmHidden" value="1" <?php if ($cred->hidden){ echo "checked"; }?>>
+<?php endif; ?>
 
 <?php
 

--- a/views/Customer/add.php
+++ b/views/Customer/add.php
@@ -25,7 +25,7 @@
 
 
 
-	if (!BTMain::getConnTypeSSL()){
+	if (!BTMain::getConnTypeSSL() || BTMain::getConf()->forceTLS){
 	    $tlskey = BTMain::getsessVar('tls');
 	    $frmname = $crypt->xordstring(base64_decode($frmname),$tlskey);
 	    $fname = $crypt->xordstring(base64_decode($fname),$tlskey);

--- a/views/Customer/view.php
+++ b/views/Customer/view.php
@@ -10,9 +10,10 @@
 global $notifications;
 $custom = new CustDB;
 $custom->connreuse = 1;
+$portallogin = BTMain::getUser()->PortalLogin;
 
 
-
+if ($portallogin != 1){
 // Get the customer details
 $custdetails = $custom->getCustomerDetail(BTMain::getVar('id'));
 
@@ -23,6 +24,8 @@
   return;
 
   }
+
+}
 
 
 // Get credentials
@@ -50,7 +53,7 @@
 
 
 
-
+<?php if ($portallogin != 1): ?>
 <h1>Credentials for <?php echo $customer; ?></h1>
 
 
@@ -61,6 +64,8 @@
 
 </div>
 
+<?php endif; ?>
+
 <input type="hidden" id="defaultInterval" value="<?php echo BTMain::getConf()->CredDisplay; ?>">
 <table class='credTbl table table-hover' id='CredsTbl'>
 <tr><th><span class='DisPwdText'>Credential </span>Type</th><th></th>
@@ -70,25 +75,37 @@
 <th></th><th></th><th></th></tr>
 
 <?php
-
+$x = 0;
 
 
 foreach ($customers as $customer){
+$x++;
 ob_start();
 $cname = $crypt->decrypt($customer->CredName,'CredType');
+$comment = $crypt->decrypt($customer->comment,'Cre'.$customer->CredType);
 ?>
 
 <tr class="CredDisp" id='CredDisp<?php echo $customer->id;?>'>
-  <td>
+  <td <?php if (!empty($comment)):?>title="<?php echo htmlspecialchars($comment);?>"<?php endif;?>>
     <?php echo $cname;?>
   </td>
 
-  
+
   <td class="passViewNotif" onclick="getCreds('<?php echo $customer->id;?>');">
   <input type="hidden" id="clickCount<?php echo $customer->id;?>" value="0" disabled="disabled">
     <input type="hidden" id="PassCount<?php echo $customer->id;?>" value="<?php echo BTMain::getConf()->CredDisplay; ?>">
-    <span class='retrievePassword' id='retrievePassword<?php echo $customer->id;?>'>Display<span class='DisPwdText'> Password</span></span>
+    <span class='retrievePassword' id='retrievePassword<?php echo $customer->id;?>'>Display<span class='DisPwdText'> 
+
+  <?php if (($portallogin != 1) || ($customer->hidden !=1)): ?>
+      Password
+  <?php else: ?>
+      Username <input type="hidden" disabled="disabled" id="credHidden<?php echo $customer->id; ?>">
+  <?php endif; ?>
+</span></span>
   </td>
+
+   
+
 
   <td>
     <span id='Address<?php echo $customer->id;?>' class='CredAddress'></span>
@@ -104,11 +121,11 @@
 
 
 <td class='editicon' onclick="window.location.href = 'index.php?option=editCred&id=<?php echo $customer->id;?>'">
-<i class="icon-pencil"></i>
+ <?php if (($portallogin != 1) || ($customer->hidden !=1)): ?><i class="icon-pencil"></i><?php endif; ?>
 </td>
 
   <td class='delicon' onclick="DelCred('<?php echo $customer->id;?>');">
-  <i class="icon-remove"></i>
+  <?php if ($portallogin != 1): ?><i class="icon-remove"></i><?php endif; ?>
   </td>
 
   <td id='CredPluginOutput<?php echo $customer->id;?>' class="CredPluginOutput">
@@ -119,7 +136,14 @@
 
 <?php
 
+if (!isset($custs[$cname])){
 $custs[$cname] = ob_get_clean();
+}else{
+$custs[$cname."-".$x] = ob_get_clean();
+
+}
+
+
 }
 ksort($custs);
 echo implode("\n",$custs);
@@ -130,6 +154,8 @@
 <br />
 
 
+<?php if ($portallogin != 1): ?>
+
 <div class='viewButtons'>
 
 <button id='EditCustBtnBottom' onclick="window.location.href='index.php?option=EditCustomer&id=<?php echo htmlspecialchars(BTMain::getVar('id')); ?>';" class='btn btn-primary'>Edit <?php echo Lang::_('Customer');?></button>
@@ -137,3 +163,11 @@
 
 </div>
 
+<?php endif; ?>
+
+
+<script type="text/javascript">
+$('#CredsTbl *').tooltip({track: true, fade: 250});
+</script>
+
+

--- a/views/user/changePass.php
+++ b/views/user/changePass.php
@@ -33,7 +33,7 @@
 
       $pass = BTMain::getVar('frmPass');
 
-	    if (!BTMain::getConnTypeSSL()){
+	    if (!BTMain::getConnTypeSSL() || BTMain::getConf()->forceTLS){
 	    $crypt = new Crypto;
 	    $tlskey = BTMain::getsessVar('tls');
 	    $pass = $crypt->xordstring(base64_decode($pass),$tlskey);