CSRF Check Failed on Login with no internet
-
This also happens to me almost every time I use the GUI. This has been happening for months.
In my case I am always logged into pfsense from a laptop connected by ethernet cable to the LAN. The WAN has always been up at the time that it happens.
Currently I'm using Firefox 79.0 64 bit, but this has happened on earlier versions as well. It seems to be more of a prominent issue if I have several tabs open in the browser with different pfsense GUI pages open. I am logging into the GUI by HTTPS (not HTTP) and I have imported the GUI certificate in pfsense into the certificate manager in Firefox.
I'm not sure if this is a related issue or not, but I am also having issues with timeouts in the GUI which I posted about here: https://forum.netgate.com/topic/156131/gui-timeout
I'm running pfsense version 2.4.4-RELEASE-p3 (amd64). Just ask me if there's anything I can do to help troubleshoot this issue further. I'm happy to help!
-
I updated to 2.5.x yesterday trying to fix this issue and it did not fix it so it has nothing to do with the internet being down or being able to resolve ews.netgate.com
-
As I mentioned before the only way I can reproduce this is to double click the "Sign In" button on the login page. So before anything else, make sure you are not double clicking / double tapping that button.
-
@jimp When I just click once it just sits and spins and never shows the GUI, checking logs it does show successful login (twice when i click it the second time)
-
I haven't seen that happen before but next time it does, try refreshing the page but not resubmitting the form. (Or navigate away from the firewall and back).
Also are you using local auth or a server like LDAP or RADIUS for GUI authentication?
-
@jimp Local auth, if I hit f5 the form is cleared and the loading of the page stops.
-
BTW I forgot to mention this only happens with Chrome, and it does happen after clearing cache and in ingcognito.
-
@bigjohns97 said in CSRF Check Failed on Login with no internet:
@jimp When I just click once it just sits and spins and never shows the GUI, checking logs it does show successful login (twice when i click it the second time)
I had that phenomenom with an older chrome version. Never had that effect with edgium, chromium or other browsers though but I'm guessing it was somewhat related to blocking referrer, cookies or scripts. After login it just "loaded endlessly" and if you clicked the URL bar and hit enter you were immediatly logged in on the dashboard (that's why I was guessing it had something to do with the browser not getting the redirection/rewrite properly after logging in). But that's completely browser related and no failure of CSRF or the pfSense login page IMHO.
Another interesting fact: another chrome profile with no extensions and "blank" didn't have that problems, it was only the one profile I used for work, with my private one I had no redirection/login issue. Perhaps that's something @bigjohns97 can test: create a new fresh clean chrome profile, switch to it, don't have any extensions etc. loaded and just try default chrome settings and try logging in. Perhaps it's something with your profile like mine.
-
@JeGr This is very interesting, clicking the address bar and then hitting f5 does login immediately, just hitting f5 doesn't do anything but clear the forum.
Doing incognito produces the same result which is what a new profile would produce as well, I do have it set to not load add-in's on incognito.
-
@JeGr I did end up trying the guest profile and it did work, so I don't think it's an extension but must be something with the profile in chrome, I am going to check my settings and see if I can find something different that might account for this.
-
I should note that in my case I am getting the error after I have successfully logged into the GUI. I'll be working on something within the GUI. I might then go to save a setting, check an option, navigate to a new page, etc, and then I get redirected to the CSRF error page. I then have to go back to the login page and login again and start whatever I was doing all over again.
-
For what it's worth : CSRF is cookie (== session) based.
If a browser, or browser plugin/extension does nasty things with the cookie, CSRF kicks in.
