Bug #660
closed
login after timeout POSTs to page and unsets config options
Added by Chris Buechler over 14 years ago.
Updated over 14 years ago.
Description
If you're at a particular page in the web interface and your session times out, when you refresh that page and log in, it POSTs the username and password to that page, and the page treats it as a normal POST, unsetting many config options. For example, go to system_advanced_admin.php, refresh after the session timeout, login, and it wipes values there.
6af7c40b296e0f95ec308d41aea55b3306c5e1ee (which was reverted but then recommitted) was intended to fix this, but seems to be incomplete. This issue is also referenced by #161, but that one doesn't seem to be specifically about this.
Putting an exit after the pfSenseHeader line in etc/inc/auth.inc (currently line 1105) seems to fix it, but I've held off on committing it because I was told not to change it without discussing it first. There is also possibly one line missing that should go before the return true in this area, which is just before the return true at the end of the function:
$HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
It is something that normally happens under the conditions where the function will return true.
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by Ermal Luçi 
Updated by