Project

General

Profile

Actions

Bug #660

closed

login after timeout POSTs to page and unsets config options

Added by Chris Buechler over 11 years ago. Updated over 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
Start date:
06/14/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

If you're at a particular page in the web interface and your session times out, when you refresh that page and log in, it POSTs the username and password to that page, and the page treats it as a normal POST, unsetting many config options. For example, go to system_advanced_admin.php, refresh after the session timeout, login, and it wipes values there.

Actions #1

Updated by Erik Fonnesbeck over 11 years ago

6af7c40b296e0f95ec308d41aea55b3306c5e1ee (which was reverted but then recommitted) was intended to fix this, but seems to be incomplete. This issue is also referenced by #161, but that one doesn't seem to be specifically about this.

Putting an exit after the pfSenseHeader line in etc/inc/auth.inc (currently line 1105) seems to fix it, but I've held off on committing it because I was told not to change it without discussing it first. There is also possibly one line missing that should go before the return true in this area, which is just before the return true at the end of the function:
$HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
It is something that normally happens under the conditions where the function will return true.

Actions #2

Updated by Ermal Luçi over 11 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Chris Buechler over 11 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF