[solved] Changed Admin Access to HTTP and couldn't login anymore

Bob.Dig · Nov 12, 2024, 6:17 PM

This might or might not be related to the beta, so sorry if it isn't, but I only have betas right now.

I changed Admin Access to HTTP and couldn't login anymore. It would say something like the browser needs to accept cookies or similar. I tested with two different browsers.

What was really disturbing to me, there was no config backup in the config-history about that change of mine. I had to revert to a backup-image from this morning.

Now is there a reason for not having a config backup about this? True is, I disabled all safeguards about login-in before, still...

marcosm · Nov 12, 2024, 5:33 PM

The cookie is likely being rejected since a secure one already exists. Clear cookies or try it in a private window.

Bob.Dig · Nov 12, 2024, 5:48 PM

@marcosm So it is a non-issue and doesn't deserve a config-change. I don't want to retest this because of reasons and can't say for sure, if all cookies were deleted beforehand. Maybe I will retry tomorrow.

marcosm · Nov 12, 2024, 6:04 PM

It's usually either HSTS or cookies. I did reproduce it here and can see in the browser console:

Cookie “PHPSESSID” has been rejected because there is an existing “secure” cookie.

Bob.Dig · Nov 12, 2024, 6:09 PM

@marcosm If HSTS is enabled in pfSense and later I switch back to HTTP... I have a problem. Maybe there should be a check in place and HSTS should be disabled by pfSense if one is changing to http. And a config-backup would help in this case. Just a thought.
I hope I learned my lesson for now.

marcosm · Nov 12, 2024, 6:11 PM

Maybe, though personally I wouldn't want to make it any easier to use unencrypted traffic in 2024

jimp · Nov 13, 2024, 3:52 PM

@Bob-Dig said in [solved] Changed Admin Access to HTTP and couldn't login anymore:

@marcosm If HSTS is enabled in pfSense and later I switch back to HTTP... I have a problem. Maybe there should be a check in place and HSTS should be disabled by pfSense if one is changing to http. And a config-backup would help in this case. Just a thought.
I hope I learned my lesson for now.

pfSense doesn't send HSTS info when you set the GUI to HTTP, but your browser caches the previous value and will refuse to connect (rightfully so!). Nothing the server can do about that, you have to manually clear it. Both Chrome and Firefox have methods of clearing that, others likely do as well.

Bob.Dig · Nov 13, 2024, 4:26 PM

@jimp I felt brave, this time with MIM enabled. And you were right. I managed to log-in with chromium, after clearing some saved information. With FF I had no luck so far but now I had two ways to access pfSense and re-enable https. Thank you.