CSRF token - Faulty unit or perhaps bug?
-
Hi,
love pfSense and the Netgate, but have this issue now and then I haven't found an explanation for.I get a red screen, saying "Missing or expired CSRF token". I have searched for info and found this thread, but don't fit my case unfortunately.
I get this occasionally as explained in the thread above too, but just now I got it after having logged out of pfSense, and now logging in, hours after that. Wasn't the token cleared when logging out? I did not do anything out of the ordinary, as pressing submit several times as described as a possible trigger for this warning.
I hope it does not suggest a serious issue, I am beginning to build a trust for pfSense and would hate for that to be demolished by a security bug... If someone can explain this and hopefully pinpoint the cause, it'd be great, or at least try.
Thanks
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
If you logout and leave the firewall sitting at the login page, then try to login later, that is expected to happen.
The CSRF tokens are only good for a certain period of time and are generated by the firewall when it serves the page requested by the client.
If you wait hours to submit the form it would be using an expired token at that point.
Make a habit of refreshing the login page before you attempt to login.
Another way that can happen is if your system clock is way off and NTP corrects it. For example, on hardware without an RTC battery, the firewall may boot up and serve the login page before the clock syncs to set the correct time, so the CSRF token generated on that very first page load will be "expired" by the time the client submits it since the system clock would have made a huge leap between the queries. Again, easily worked around by refreshing the login page before attempting to login in that scenario.
-
@furom I also used to see it at home when picking a saved password on my phone...that process submitted the page but was just slow enough that if I didn't notice and clicked the Sign In button it would submit a second time and trigger the warning.
-
@steveits I've seen similar cases as well where a password manager kept a cached copy of the login form -- complete with expired CSRF token -- and submitted that to login rather than fetch a new one each time.
-
@jimp Thanks, nice explanation. So basically just a warning that the token has expired. What would the use case for such token expiration be? And it looks a bit alarming, being all red, hard to miss... :)
-
CSRF tokens ensure the form you are submitted came from the correct and expected source, and is going to the correct and expected destination.
Without checking CSRF tokens, someone could trick you into logging into your firewall using a form on a shady website, for example, and perhaps even have you take some undesirable action without realizing it.
Google CSRF attacks and you'll find much more info.
-
@jimp said in CSRF token - Faulty unit or perhaps bug?:
Google CSRF attacks and you'll find much more info.
I will do that, thanks! :)