CSRF Check Failed on Login with no internet

  • I've got my pfsense box set up with a static WAN IP and DNS servers. I'm on pfSense 2.4.4. I have my webGUI set to use SSL. When my internet goes down, or if I unplug the modem from the router, and then I try to log into the webGUI, I get a CSRF Check failed error. I can consistently re-create this issue, and I've tried it on 3 different computers, with Firefox, Chrome, and IE; both before and after clearing the cache. As soon as the internet is restored, It starts working again. While the internet is disconnected, I can still log in via SSH, and from there, it shows my webGUI logins are succeeding. The only fix I've found is to disable SSL on the webGUI interface, which I'd really rather not do.

    Has anyone else run into this?
    Can anyone point me in the right direction?

    A few other notes about my setup:
    I'm using the DNS resolver, with DNSSEC enabled. DNS over SSL is NOT enabled.
    I have 2 LANs on 2 separate NICs, different subnets, totally isolated from each other. Only one of them has access to the webGUI.
    I have a single openVPN server set up for outside access.

  • Yes, I just encountered this issue. I even went as far as cloning the 2.4.4 repo branch to see if I could track down what the main page is trying to call to when it's loading. I figure it's either some kind of call-home or checking for the latest version; even though it looks like it's an asynchronous request being made when I click the refresh button. Would love to get confirmation and/or clarification on that from a dev who works on the interface.

    Something I'd suggest in the meantime, though (and why I came to the aforementioned conclusion):

    After logging in, try opening another tab to some URL that isn't the homepage. Those loaded just as fast as they usually would in normal circumstances. It's got to be some external resource(s) being called to on that main page that are hanging it up because they can't resolve.

  • Rebel Alliance Developer Netgate

    Only time I've seen a CSRF check fail is due to the clock. The CSRF tokens are only valid for a couple hours. If you load the login page and don't refresh, but don't login until hours later, then it fails. Similarly, if you load the login page and the firewall clock gets updated via NTP so it jumps ahead more than the time CSRF tokens are valid, it also fails.

    I don't see how it would happen when offline, however. Not unless something else is causing a huge skew in your system clock.

  • My system clock was running just fine from what I can remember.

  • I know that both the system clock I was logging into from and the pfsense clock were correct BEFORE I disconnected the WAN side, but I didn't check the PFsense clock while disconnected. I know it was correct after I reconnected the WAN side, but I'm using NTP to keep the pfsense clock up to date. I'll test that later and see what I come up with, but I see no reason it would have changed

  • Curious if there was a resolution to this? This happens to me also.

  • I've seen this issue as well. I haven't tried to seek the cause as generally I just retry a few times and it works. Just from anecdotal evidence, it seems to happen more from my smartphone then from my desktop.

  • Rebel Alliance Developer Netgate

    Since this thread was last updated, I found a more common way to reproduce the problem: https://redmine.pfsense.org/issues/9855

    But that's the only way I've been able to trigger it at login. Maybe if you don't have an internet connection and it takes a while for the page to load, you clicked it twice and hit that problem.

  • I still get this error often when offline, so thank you for checking into this. While I'm not yet conviced this only happens when you click twice, I can confirm that clicking twice does cause the error. Moving forward, I will know to pay attention to that when logging in.

    Is there a way to speed up the page load when offline? I've already disabled check for updates.

  • I just seen this error today. Internet is all connected. Maybe a clock issue. Dunno.

    CSRF check failed

    Missing or expired CSRF token
    Form session may have expired, cookies may not be enabled, or possible CSRF-based attack.
    Resubmitting this request may put the firewall at risk or lead to unintended behavior.

Log in to reply