Bug #660
closedlogin after timeout POSTs to page and unsets config options
100%
Description
If you're at a particular page in the web interface and your session times out, when you refresh that page and log in, it POSTs the username and password to that page, and the page treats it as a normal POST, unsetting many config options. For example, go to system_advanced_admin.php, refresh after the session timeout, login, and it wipes values there.
Updated by Erik Fonnesbeck over 14 years ago
6af7c40b296e0f95ec308d41aea55b3306c5e1ee (which was reverted but then recommitted) was intended to fix this, but seems to be incomplete. This issue is also referenced by #161, but that one doesn't seem to be specifically about this.
Putting an exit after the pfSenseHeader line in etc/inc/auth.inc (currently line 1105) seems to fix it, but I've held off on committing it because I was told not to change it without discussing it first. There is also possibly one line missing that should go before the return true in this area, which is just before the return true at the end of the function:$HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
It is something that normally happens under the conditions where the function will return true.
Updated by Ermal Luçi over 14 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset f23e63638af309ec317dc924794c34dd1c68fecc.
Updated by Chris Buechler over 14 years ago
- Status changed from Feedback to Resolved