From 23c3ccb6b623c3439d84b454d064acfe96971428 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Wed, 31 Oct 2012 09:47:22 -0400
Subject: Set the CSRF Magic timeout to the same as the session timeout, so
 that if a user sets a lower session time, the CSRF magic tokens do not
 outlive the user's session.

---
 usr/local/www/guiconfig.inc | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'usr/local')

diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc
index 61ae823..0cbbba5 100755
--- a/usr/local/www/guiconfig.inc
+++ b/usr/local/www/guiconfig.inc
@@ -37,6 +37,9 @@
 if(!$nocsrf) {
 	function csrf_startup() {
 		csrf_conf('rewrite-js', '/csrf/csrf-magic.js');
+		$timeout_minutes = isset($config['system']['webgui']['session_timeout']) ?  $config['system']['webgui']['session_timeout'] : 240;
+		csrf_conf('expires', $timeout_minutes * 60);
+		echo $GLOBALS['csrf']['expires'];
 	}
 	require_once("csrf/csrf-magic.php");
 }
-- 
cgit v1.1