login after timeout POSTs to page and unsets config options
If you're at a particular page in the web interface and your session times out, when you refresh that page and log in, it POSTs the username and password to that page, and the page treats it as a normal POST, unsetting many config options. For example, go to system_advanced_admin.php, refresh after the session timeout, login, and it wipes values there.
#1 Updated by Erik Fonnesbeck almost 9 years ago
6af7c40b296e0f95ec308d41aea55b3306c5e1ee (which was reverted but then recommitted) was intended to fix this, but seems to be incomplete. This issue is also referenced by #161, but that one doesn't seem to be specifically about this.
Putting an exit after the pfSenseHeader line in etc/inc/auth.inc (currently line 1105) seems to fix it, but I've held off on committing it because I was told not to change it without discussing it first. There is also possibly one line missing that should go before the return true in this area, which is just before the return true at the end of the function:
$HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
It is something that normally happens under the conditions where the function will return true.