Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    GUI "edit" page silent timeout long before session timeout

    webGUI
    2
    5
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stilez
      last edited by

      If I leave (for example) the "edit firewall rules" and "edit file" GUI pages open in my browser while I'm away from my desk, and then come back a little later -

      • The edit firewall rules page continues to be usable as if I hadn't been away, however long it's been

      but

      • The edit file page lets me type, but silently freezes and fails to work when I try to interact with the server (ie load/save/browse a file). This seems to happen whatever session timeout I set in User Manager.

      This isn't desirable behaviour for me, and I'd like to know what causes it. I originally suspected something CSRF related but if so couldn't understand why most pages (and their user input) aren't affected but the Edit Files page is so greatly affected.

      I'd really like to learn what's going on.

      Is it possible to change this behaviour or modify the timeout (or whatever it is that's affecting the "Edit File" page of the GUI)?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Other pages submit in a traditional way, Edit File uses AJAX. That probably explains the difference. It won't kick you back to a login page if your session times out and then you try an AJAX request like it would on a page load/POST.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          stilez
          last edited by

          Thanks Jim. I added an error handler into the page's ajax code (it didn't have one) which confirms the issue, much like you said. But some behaviours look like they could be bugs, or undesirable/questionable, so I filed the other things I found on redmine.

          1 Reply Last reply Reply Quote 0
          • S
            stilez
            last edited by

            @jimp - Incidentally, quick bugfix needed (needs someone more experienced due to security-related implication).

            In guiconfig.inc, csrf_startup() references $config[] to determine if a timeout is defined and set a matching timeout for the csrf token. it looks like $config[] isn't available nor accessible as a global within csrf_startup() when it is called. So the test used to set $timeout_minutes at about line 30 of guiconfig.inc always fails.

            Any chance of posting a quick fix for that, as it's security related?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              It's a bug but the CSRF magic default timeout is less than hours (2 hrs vs our 4) so at least in the default case it's actually more secure, not less. I'll push a fix shortly.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.