OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: phoenix on August 03, 2016, 04:43:54 pm
-
I'm seeing the following message occasionally when I try to login to the web ui:
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
It's only a temporary problem, I can login via the web ui without problem immediately after seeing that message. Is it a browser problem or an OPNsense problem? This did happen on the 16.1.x release but as I don't use the UI very often it didn't really matter, it's just that now I'm trying to find out the cause of a problem it's getting a bit annoying.
-
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
I saw this message too.
-
This is a security mechanism that got elevated because it was simply too static. That happened some time mid-16.1. I still have work there, hopefully replacing the rest of the old CSRF protection cruft for something simpler and less trigger-happy.
The CSRF token is invalidated on web interface restart, so the login screen doesn't work anymore if left open from the previous boot. Non-reboot firmware updates trigger this too, as well as changing settings under System: Settings: Administration.
Cheers,
Franco
-
Hi Franco
Thanks for the reply and the explanation. :) As I mentioned it's not really a great problem but at the time I posted I had to keep checking the UI and this was happening every other time I opened it. Anyway, since I posted this question this message has, naturally, stopped appearing. As long as it's nothing serious which was all I was bothered about. Thanks again and have a good day.
-
Hi Bill,
It's weird, did you guys do a lot of maintenance back when this happened? So we seem to have a windows of when this was ok before and after, pointing to a local issue?
Nevertheless, I shall vow to clean this up. :)
Cheers,
Franco
-
Hi France
It's difficult to say exactly when this started, I have a recollection that it was about four months ago. As I mentioned I didn't use the UI much as everything was running fine and this problem only rarely occurred. After the upgrade to 16.7 I was testing some firewall rule changes and that involved opening the web UI frequently (I normally logged out or rebooted after the changes) After about every fourth login I saw the error message in my first post. I've since resolved my little investigation and changes so I've been using the UI less and the message hasn't appeared since I reported it - I don't know if that helps much.
-
Took a while, but now with 17.1.1 we're switching to a token per session, so unless your session is expired or the box is rebooted it will work: https://github.com/opnsense/core/commit/f20640d0b69113
-
Hi Franco
This has only happened once on 17.1 so it's no big problem for me, thanks for the update. :)