Bug #11268
open
Cookie named 'id' prevents Edit form fields being set properly
0%
Description
If you have a cookie set with a name 'id' (any value), and you try to edit something, e.g. a firewall rule, the form fields are not properly filled in on the page - they seem to be set to the default values you'd get if you were creating a new rule.
(I have found this occurs in the wild, if you have a ports forwarded for both pfSense and a Synology NAS, and you log into both through the same hostname.)
Updated by Matthew Fearnley about 3 years ago
I've realised that the `id` entry in the session cookie is overriding the `?id=` URL parameter. E.g. setting it to 0 edits the first rule, setting it to 1 edits the second, etc.
In Chrome you can replicate this if you edit a port-forward (e.g. https://192.168.1.1/firewall_rules_edit.php?id=0), and go to Developer Tools, Application, Storage->Cookies.
Double-click a blank row in the Name column and type 'id', then can set the Value in a similar way.
(This also works for `dup` and perhaps other parameters.)
Updated by Matthew Fearnley about 1 year ago
Just to say this still affects current versions of pfSense - I've tested it in pfSense 23.05.1 Plus.
Cookie values still override the URL parameter.
It also seems to happen with other parameters - e.g. the `if` parameter on `/firewall_rules.php?if=wan`.