Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CSRF token - Faulty unit or perhaps bug?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 861 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      furom
      last edited by

      Hi,
      love pfSense and the Netgate, but have this issue now and then I haven't found an explanation for.

      I get a red screen, saying "Missing or expired CSRF token". I have searched for info and found this thread, but don't fit my case unfortunately.

      I get this occasionally as explained in the thread above too, but just now I got it after having logged out of pfSense, and now logging in, hours after that. Wasn't the token cleared when logging out? I did not do anything out of the ordinary, as pressing submit several times as described as a possible trigger for this warning.

      I hope it does not suggest a serious issue, I am beginning to build a trust for pfSense and would hate for that to be demolished by a security bug... If someone can explain this and hopefully pinpoint the cause, it'd be great, or at least try.

      Thanks

      S 1 Reply Last reply Reply Quote 0
      • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you logout and leave the firewall sitting at the login page, then try to login later, that is expected to happen.

        The CSRF tokens are only good for a certain period of time and are generated by the firewall when it serves the page requested by the client.

        If you wait hours to submit the form it would be using an expired token at that point.

        Make a habit of refreshing the login page before you attempt to login.

        Another way that can happen is if your system clock is way off and NTP corrects it. For example, on hardware without an RTC battery, the firewall may boot up and serve the login page before the clock syncs to set the correct time, so the CSRF token generated on that very first page load will be "expired" by the time the client submits it since the system clock would have made a huge leap between the queries. Again, easily worked around by refreshing the login page before attempting to login in that scenario.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        F 1 Reply Last reply Reply Quote 1
        • S
          SteveITS Galactic Empire @furom
          last edited by

          @furom I also used to see it at home when picking a saved password on my phone...that process submitted the page but was just slow enough that if I didn't notice and clicked the Sign In button it would submit a second time and trigger the warning.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          jimpJ 1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate @SteveITS
            last edited by

            @steveits I've seen similar cases as well where a password manager kept a cached copy of the login form -- complete with expired CSRF token -- and submitted that to login rather than fetch a new one each time.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • F
              furom @jimp
              last edited by

              @jimp Thanks, nice explanation. So basically just a warning that the token has expired. What would the use case for such token expiration be? And it looks a bit alarming, being all red, hard to miss... :)

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                CSRF tokens ensure the form you are submitted came from the correct and expected source, and is going to the correct and expected destination.

                Without checking CSRF tokens, someone could trick you into logging into your firewall using a form on a shady website, for example, and perhaps even have you take some undesirable action without realizing it.

                Google CSRF attacks and you'll find much more info.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                F 1 Reply Last reply Reply Quote 2
                • F
                  furom @jimp
                  last edited by

                  @jimp said in CSRF token - Faulty unit or perhaps bug?:

                  Google CSRF attacks and you'll find much more info.

                  I will do that, thanks! :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.