From fcaa6f15a9151c61ce00e3dfa2eb85548ac652e1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 4 May 2023 09:39:37 +0200
Subject: [PATCH] legacy/csrf check - in some cases people receive a csrf error
 when posting a legacy form, which does seem to be caused by newToken()
 registering new session variables onto a closed session. As authgui.inc
 closes the session after usage, a race might happen. Make sure the session is
 opened before using it, we likely don't have to bother closing it as the
 legacy page already assumed it was closed on script exit.

---
 src/www/csrf.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/www/csrf.inc b/src/www/csrf.inc
index 712ee06e0..075215c81 100644
--- a/src/www/csrf.inc
+++ b/src/www/csrf.inc
@@ -73,6 +73,10 @@ class LegacyCSRF
     {
         $random = new \OPNsense\Phalcon\Encryption\Security\Random();
         // only request new token when session has none
+        if (session_status() == PHP_SESSION_NONE) {
+            // our session is not guaranteed to be started at this point.
+            session_start();
+        }
         if (empty($_SESSION['$PHALCON/CSRF/KEY$']) || empty($_SESSION['$PHALCON/CSRF$'])) {
             $_SESSION['$PHALCON/CSRF$'] = $random->base64Safe(16);
             $_SESSION['$PHALCON/CSRF/KEY$'] = $random->base64Safe(16);