Project

General

Profile

Bug #660

login after timeout POSTs to page and unsets config options

Added by Chris Buechler almost 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
Start date:
06/14/2010
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

If you're at a particular page in the web interface and your session times out, when you refresh that page and log in, it POSTs the username and password to that page, and the page treats it as a normal POST, unsetting many config options. For example, go to system_advanced_admin.php, refresh after the session timeout, login, and it wipes values there.

Associated revisions

Revision f23e6363 (diff)
Added by Ermal Luçi almost 9 years ago

Fixes #660. Simplify some code and correctly do an exit after a redirect is issued. Thanks-to: Efonne for analysis.

History

#1 Updated by Erik Fonnesbeck almost 9 years ago

6af7c40b296e0f95ec308d41aea55b3306c5e1ee (which was reverted but then recommitted) was intended to fix this, but seems to be incomplete. This issue is also referenced by #161, but that one doesn't seem to be specifically about this.

Putting an exit after the pfSenseHeader line in etc/inc/auth.inc (currently line 1105) seems to fix it, but I've held off on committing it because I was told not to change it without discussing it first. There is also possibly one line missing that should go before the return true in this area, which is just before the return true at the end of the function:
$HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
It is something that normally happens under the conditions where the function will return true.

#2 Updated by Ermal Luçi almost 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Chris Buechler almost 9 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF