Set the CSRF Magic timeout to the same as the session timeout, so that if a user sets a lower session time, the CSRF magic tokens do not outlive the user's session.

author: jim-p <jimp@pfsense.org> 2012-10-31 09:47:22 -0400
committer: jim-p <jimp@pfsense.org> 2012-10-31 09:49:10 -0400
commit: 23c3ccb6b623c3439d84b454d064acfe96971428 (patch)
tree: e03cef90ce52e727c954d81063dbbd0ca18aa655 /usr/local/www
parent: b3a1733da5a4ca752216c38201f23bb02d527b45 (diff)
download: pfsense-23c3ccb6b623c3439d84b454d064acfe96971428.zip
pfsense-23c3ccb6b623c3439d84b454d064acfe96971428.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc
index 61ae823..0cbbba5 100755
--- a/usr/local/www/guiconfig.inc
+++ b/usr/local/www/guiconfig.inc
@@ -37,6 +37,9 @@
 if(!$nocsrf) {
 	function csrf_startup() {
 		csrf_conf('rewrite-js', '/csrf/csrf-magic.js');
+		$timeout_minutes = isset($config['system']['webgui']['session_timeout']) ?  $config['system']['webgui']['session_timeout'] : 240;
+		csrf_conf('expires', $timeout_minutes * 60);
+		echo $GLOBALS['csrf']['expires'];
 	}
 	require_once("csrf/csrf-magic.php");
 }
author	jim-p <jimp@pfsense.org>	2012-10-31 09:47:22 -0400
committer	jim-p <jimp@pfsense.org>	2012-10-31 09:49:10 -0400
commit	23c3ccb6b623c3439d84b454d064acfe96971428 (patch)
tree	e03cef90ce52e727c954d81063dbbd0ca18aa655 /usr/local/www
parent	b3a1733da5a4ca752216c38201f23bb02d527b45 (diff)
download	pfsense-23c3ccb6b623c3439d84b454d064acfe96971428.zip pfsense-23c3ccb6b623c3439d84b454d064acfe96971428.tar.gz