Missing or expired CSRF token



  • As of pfS 2.4.5 I am getting the CSRF check failed screen now and then

    CSRF check failed.png


  • Rebel Alliance Developer Netgate

    That can happen if you leave a page open for a long time (several hours) and then submit a form, or in some cases like on the login page if you click submit multiple times rapidly.



  • @jimp said in Missing or expired CSRF token:

    That can happen if you leave a page open for a long time (several hours) and then submit a form, or in some cases like on the login page if you click submit multiple times rapidly.

    Thanks Jim I will watch for it.


  • Netgate Administrator

    Yes, it's new in 2.4.5. It previously displayed a default page that was ugly and gave no explanation.
    https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-new-features-and-changes.html?highlight=csrf#security-errata

    Steve



  • @stephenw10 Thanks for clarifying this, I wondered why this one caught my eye, it's new ;)



  • To the OP's note - my browser occasionally gets into a state where I get this expired CSRF warning all the time, on every login. It was easy enough to ignore on the old UX where I could just click the "try again" button and carry on. The new UX requires to checking a box, clicking a button and then dismissing a dialog box to log in - which is a new kind of annoyance.

    If I delete all cookies and site data related to the host then it clears up, alas often to recur later. I've yet to nail down the conditions that trigger this warning-on-every-login state, I have a sneaking suspicion it may be related to my password manager's (Keeper) autofill mechanism. (I use Keeper on hundreds of sites, I don't see any issue on any other)


  • Netgate Administrator

    You should only see that if, as it says, the csrf magic token is invalid somehow, usually because it has expired.
    The first thing I would do there is make sure the clock on the client and firewall are both sync'd.

    It's hard to imagine a password manager doing that. Unless, perhaps, it's including an old cookie token in the form response. Not something I've ever seen though and it seems to be unique to one site.

    Steve


  • Rebel Alliance Developer Netgate

    @benlow-ad8 said in Missing or expired CSRF token:

    my browser occasionally gets into a state where I get this expired CSRF warning all the time, on every login.

    The only way I've seen that happen is if you double click the login button.

    It was easy enough to ignore on the old UX where I could just click the "try again" button and carry on. The new UX requires to checking a box, clicking a button and then dismissing a dialog box to log in - which is a new kind of annoyance.

    Submitting data with a missing or expired CSRF token is dangerous. The new interface is cumbersome for that reason. It shouldn't happen, and if it does, it should by "scary". If it's easy, people will click through it and not realize they're doing something that could have unintended consequences. Read up in CSRF attacks to see why.



  • @stephenw10 : I concur re. password manager being an unlikely culprit, indeed I just found out my colleague is using the same password manager (Chrome extension) and has yet to see this issue.

    @jimp : I'm aware of the purpose of the mitigation. For the pfsense I use a browser profile dedicated to relatively few "admin" purposes. Given that when this state occurs it's only on immediate login - an explicit action on my part - and that when it does arise it's "sticky" in that it then occurs every login until I cookies (incl. via explicitly logging out, I believe), I believe I can be pretty confident it's not an attack.

    Re-reading @jimp's earlier comment re. hitting the login multiple times, that's not out of the question in my case. (not so much by clicking the button, but either the password manager autofill and/or hitting enter to trigger the autofill). I'll try and pay closer attention to that and see if I can notice anything.



  • I'm seeing this several times now and it was rather concerning, espec as I'd never heard of CSRF before and the page doesn't really explain the situation (or sol'n) very well. Also the vague warning is rather scary. I've not seen anything similar on other device login pages.

    Is the "form" referred to the same as a login page? If so, why is that considered to be a "bad thing"?
    FWIW I leave a browser tab open for occasional PFSense use and have a password manager installed with autofill enabled. I'm certainly not clicking multiple times on the login page! Also I wasn't aware of any "ugly" page before 2.4.5.

    Certainly I think this warning page could do with some more explanatory text.



  • Just FYI, I am also seeing this EVERY time I logon too! I am using the Roboform password manager and I am pretty sure that is part of the reason as if I log in manually (without the password manager filling on the form) it works fine.

    You can see the fields Roboform holds for any given page and as far as I can see it only holds a username and password, no other token fields that it might be filling behind the scenes.

    And yes, this is annoying that you now have to go through 3 additional clicks every time you log on! You say that it should be scary and it is deliberate but I have no idea what a CSRF token is and as I know I am logging on from a trusted machine within a trusted network I, as a humble user, have no option but to ignore the three dire warnings every time I log on! Doesn't seem very good design to me...



  • @jimp said in Missing or expired CSRF token:

    @benlow-ad8 said in Missing or expired CSRF token:

    my browser occasionally gets into a state where I get this expired CSRF warning all the time, on every login.

    The only way I've seen that happen is if you double click the login button.

    It was easy enough to ignore on the old UX where I could just click the "try again" button and carry on. The new UX requires to checking a box, clicking a button and then dismissing a dialog box to log in - which is a new kind of annoyance.

    Submitting data with a missing or expired CSRF token is dangerous. The new interface is cumbersome for that reason. It shouldn't happen, and if it does, it should by "scary". If it's easy, people will click through it and not realize they're doing something that could have unintended consequences. Read up in CSRF attacks to see why.

    The problem with any system that has false positives, is when a real proper warning comes up it will just be ignored, I keep getting these on a daily basis.

    If you are convinced this is not a false positive and somehow we all victims to some kind of exploit, then I suggest you add some documentation to the page on how to we can all clean our browsers to stop it happening again.

    Trying to figure out whats going on at least in my case, I have one cookie with the generic PHPSESSID header, my browser is configured to keep pfSense cookies forever until I manually delete or they naturally expire. The error suggests it will be caused by either missing cookies or an expired form session.

    If I remember right when I logout I usually leave the tab open so my browser sits on the login page for ages, then I login, and the error pops up. So a fix for this might be to set the session expiry much higher on the php side, or to have the login page refresh automatically at intervals.


  • Netgate Administrator

    If you are seeing that warning it's because the token has expired. And if that only happens with the password manager it's pretty much got to be because it's submitting an expired token.
    I don't see that with LastPass or Bitwarden for example.

    Steve



  • I can confirm its related to leaving the browser tab sitting on the login screen for a long time, tested it on two different devices, when I tried to login on the first I had the CSRF warning, on the second I did refresh then did the login and no warning.

    I tested on Chrome (the most widespread browser in the world), and Vivaldi, did not test on Firefox or Edge.



  • I would like to add that although having a tab open for a long time may be one way of causing this, using a password tool (like Roboform) is another as it does it for me every time I log on, even if I have only just opened the tab and navigated to the page.


Log in to reply