Set the CSRF Magic timeout to the same as the session timeout, so that if a user sets a lower session time, the CSRF magic tokens do not outlive the user's session.

author: jim-p <jimp@pfsense.org> 2012-10-31 09:47:22 -0400
committer: jim-p <jimp@pfsense.org> 2012-10-31 10:49:13 -0400
commit: 56befec1e2f7208e1f61a67df56592475242020b (patch)
tree: 77da68335e963fe237577a74049b64c258fd9036 /usr/local/www/guiconfig.inc
parent: fcf53c1e081e218726f1d2168ecf8637e8ada41b (diff)
download: pfsense-56befec1e2f7208e1f61a67df56592475242020b.zip
pfsense-56befec1e2f7208e1f61a67df56592475242020b.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc
index 5959b15..988af9f 100755
--- a/usr/local/www/guiconfig.inc
+++ b/usr/local/www/guiconfig.inc
@@ -37,6 +37,9 @@
 if(!$nocsrf) {
 	function csrf_startup() {
 		csrf_conf('rewrite-js', '/csrf/csrf-magic.js');
+		$timeout_minutes = isset($config['system']['webgui']['session_timeout']) ?  $config['system']['webgui']['session_timeout'] : 240;
+		csrf_conf('expires', $timeout_minutes * 60);
+		echo $GLOBALS['csrf']['expires'];
 	}
 	require_once("csrf/csrf-magic.php");
 }
author	jim-p <jimp@pfsense.org>	2012-10-31 09:47:22 -0400
committer	jim-p <jimp@pfsense.org>	2012-10-31 10:49:13 -0400
commit	56befec1e2f7208e1f61a67df56592475242020b (patch)
tree	77da68335e963fe237577a74049b64c258fd9036 /usr/local/www/guiconfig.inc
parent	fcf53c1e081e218726f1d2168ecf8637e8ada41b (diff)
download	pfsense-56befec1e2f7208e1f61a67df56592475242020b.zip pfsense-56befec1e2f7208e1f61a67df56592475242020b.tar.gz