Bug #11268
open
Cookie named 'id' prevents Edit form fields being set properly
0%
Description
If you have a cookie set with a name 'id' (any value), and you try to edit something, e.g. a firewall rule, the form fields are not properly filled in on the page - they seem to be set to the default values you'd get if you were creating a new rule.
(I have found this occurs in the wild, if you have a ports forwarded for both pfSense and a Synology NAS, and you log into both through the same hostname.)
Updated by Matthew Fearnley over 1 year ago
I've realised that the `id` entry in the session cookie is overriding the `?id=` URL parameter. E.g. setting it to 0 edits the first rule, setting it to 1 edits the second, etc.
In Chrome you can replicate this if you edit a port-forward (e.g. https://192.168.1.1/firewall_rules_edit.php?id=0), and go to Developer Tools, Application, Storage->Cookies.
Double-click a blank row in the Name column and type 'id', then can set the Value in a similar way.
(This also works for `dup` and perhaps other parameters.)