CSRF Check Failed on Login with no internet



  • I've got my pfsense box set up with a static WAN IP and DNS servers. I'm on pfSense 2.4.4. I have my webGUI set to use SSL. When my internet goes down, or if I unplug the modem from the router, and then I try to log into the webGUI, I get a CSRF Check failed error. I can consistently re-create this issue, and I've tried it on 3 different computers, with Firefox, Chrome, and IE; both before and after clearing the cache. As soon as the internet is restored, It starts working again. While the internet is disconnected, I can still log in via SSH, and from there, it shows my webGUI logins are succeeding. The only fix I've found is to disable SSL on the webGUI interface, which I'd really rather not do.

    Has anyone else run into this?
    Can anyone point me in the right direction?

    A few other notes about my setup:
    I'm using the DNS resolver, with DNSSEC enabled. DNS over SSL is NOT enabled.
    I have 2 LANs on 2 separate NICs, different subnets, totally isolated from each other. Only one of them has access to the webGUI.
    I have a single openVPN server set up for outside access.



  • Yes, I just encountered this issue. I even went as far as cloning the 2.4.4 repo branch to see if I could track down what the main page is trying to call to when it's loading. I figure it's either some kind of call-home or checking for the latest version; even though it looks like it's an asynchronous request being made when I click the refresh button. Would love to get confirmation and/or clarification on that from a dev who works on the interface.

    Something I'd suggest in the meantime, though (and why I came to the aforementioned conclusion):

    After logging in, try opening another tab to some URL that isn't the homepage. Those loaded just as fast as they usually would in normal circumstances. It's got to be some external resource(s) being called to on that main page that are hanging it up because they can't resolve.


  • Rebel Alliance Developer Netgate

    Only time I've seen a CSRF check fail is due to the clock. The CSRF tokens are only valid for a couple hours. If you load the login page and don't refresh, but don't login until hours later, then it fails. Similarly, if you load the login page and the firewall clock gets updated via NTP so it jumps ahead more than the time CSRF tokens are valid, it also fails.

    I don't see how it would happen when offline, however. Not unless something else is causing a huge skew in your system clock.



  • My system clock was running just fine from what I can remember.



  • I know that both the system clock I was logging into from and the pfsense clock were correct BEFORE I disconnected the WAN side, but I didn't check the PFsense clock while disconnected. I know it was correct after I reconnected the WAN side, but I'm using NTP to keep the pfsense clock up to date. I'll test that later and see what I come up with, but I see no reason it would have changed