Disable CSRF

Essential · Nov 9, 2012, 8:10 AM

Hello all!

My question is how i can disable CSRF at all pages? We trying make some automation for pfsense and this check give for us some problem.

PS and maybe pfsense have some API? or something like that?

GruensFroeschli · Nov 9, 2012, 9:45 AM

It's under System–>Advanced-->Admin Access
There you can also define alternative names which should be allowed.

Essential · Nov 9, 2012, 10:12 AM

@GruensFroeschli:

It's under System–>Advanced-->Admin Access
There you can also define alternative names which should be allowed.

What exactly you mean?

GruensFroeschli · Nov 9, 2012, 12:05 PM

I gave the answer to what you asked?
Just tick the checkbox "Disable HTTP_REFERER enforcement check "

Essential · Nov 9, 2012, 4:33 PM

@GruensFroeschli:

I gave the answer to what you asked?
Just tick the checkbox "Disable HTTP_REFERER enforcement check "

This chechbox dont disable csrf check :(

GruensFroeschli · Nov 9, 2012, 11:26 PM

Then what do you think it does?
It certainly allows me to access my pfSense with any name i point to the it….

cmb · Nov 10, 2012, 12:21 AM

The CSRF check is different and completely separate from the REFERER check. There is no way short of editing the source on all the pages to disable the CSRF checks.

GruensFroeschli · Nov 10, 2012, 8:01 AM

D'oh.
I feel stupid.
Sorry i mixed terms up…
i guess the answer is in the other thread in which you wrote where it's described how to change the code.