CSRF check failed

  • I have one router, out of six, that I'm no longer able to manage via any web browser from any computer.

    I can reach the logon page.
    I can enter the proper credentials.
    I can see the logfile (via SSH) indicating a successful logon.

    But I get this error message in the web browser:
    CSRF check failed. Either your session has expired, this page has been inactive too long, or you need to enable cookies.
    Debug: sid:3e4291d5d94633c94ad861de77df0db56fa6b170,1415811475;ip:59e15b3178853af2e712161bf6a5868953a2351a,1415811475

    This appears from any web browser (IE or Chrome have been tested) from any computer. Clearing cache in the web browser makes no difference. Restarting the pfSense box makes no difference.

    I'm at the point where I may need to wipe and rebuild the router.

    Before I do that … is there anything I can modify via a SSH connection that will clear up this problem?


  • How are you trying to reach it?
    I thought that if you used its actual IP address in the browser bar then there is no possibility of CSRF problems.
    See cmb comments below for more accurate advice.

  • @cfapress:

    Clearing cache in the web browser makes no difference.

    Will this also delete cookies?  I'm not sure it does; it may be browser dependent.  Try to manually delete all cookies associated to that IP, or at least verify that clearing the cache has cleared the cookies too.  I've seen that a few times and deleting the cookies has worked for me.

    One other thing to check would be time/date synchronization between the client and pfSense.  No idea if that applies here at all, but seeing as two of the three reasons given for failure involve time ('inactive too long' and 'session expired'), it can't hurt.

  • Phil's thinking of DNS rebinding and HTTP REFERER checks. CSRF is different. There really isn't a way to break that, short of having edited the source code and breaking the CSRF protection in general. Since you can get to the console, re-applying the appropriate 2.1.5 update for your system may suffice, if the cause is having messed something up by changing the source. Time sync shouldn't matter there.

  • Hi guys, got this very same problem. But, found out the/a reason - seems to be a bug or smth in the Dashboard Widget for Gateways.
    Yesterday I set up three different gateway groups (Multi wan), and suddenly I got this CSRF check failed thing. Well, after a while I managed to go directly to another page within the firewall gui, that is not index.php, and that worked. So, from there I went straight to System - Routing - Groups and deleted the gateway groups I made, and voila! Back to normal.

    Don't know if your problem got the same reason behind… but maybe?

Log in to reply