Project

General

Profile

Actions

Todo #9799

closed

Create custom CSRF callback page with proper theme & more warnings

Added by Jim Pingle over 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Web Interface
Target version:
Start date:
09/27/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

When a user triggers a CSRF error, either by accident (e.g. sitting on the login page for hours without submitting, then trying to log in), or by malicious means (e.g. unintentional submission from a malicious page), the presented page has two issues:

1. It's a plain/default page from CSRF magic, not themed to match pfSense
2. There is not enough warning text about submitting the "Try Again" button, since it may cause harm

The page can be customized by defining a custom callback function, as described in the CSRF Magic docs: https://github.com/ezyang/csrf-magic/blob/master/README.txt#L102

The configuration/function can be defined in guiconfig.inc before the include of CSRF Magic happens.

Actions

Also available in: Atom PDF