[SOLVED] OPNsense UI login problem

Started by phoenix, August 03, 2016, 04:43:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 03, 2016, 04:43:54 PM Last Edit: February 02, 2017, 10:05:35 PM by franco
I'm seeing the following message occasionally when I try to login to the web ui:

Code Select
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.It's only a temporary problem, I can login via the web ui without problem immediately after seeing that message. Is it a browser problem or an OPNsense problem? This did happen on the 16.1.x release but as I don't use the UI very often it didn't really matter, it's just that now I'm trying to find out the cause of a problem it's getting a bit annoying.
Regards


Bill
August 08, 2016, 06:08:52 AM #1 Last Edit: August 08, 2016, 06:11:11 AM by Aadolf
Code Select
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
I saw this message too.
August 08, 2016, 07:57:01 AM #2
This is a security mechanism that got elevated because it was simply too static. That happened some time mid-16.1. I still have work there, hopefully replacing the rest of the old CSRF protection cruft for something simpler and less trigger-happy.

The CSRF token is invalidated on web interface restart, so the login screen doesn't work anymore if left open from the previous boot. Non-reboot firmware updates trigger this too, as well as changing settings under System: Settings: Administration.


Cheers,
Franco
August 08, 2016, 08:10:48 AM #3
Hi Franco

Thanks for the reply and the explanation. :) As I mentioned it's not really a great problem but at the time I posted I had to keep checking the UI and this was happening every other time I opened it. Anyway, since I posted this question this message has, naturally, stopped appearing. As long as it's nothing serious which was all I was bothered about. Thanks again and have a good day.
Regards


Bill
August 08, 2016, 07:40:19 PM #4
Hi Bill,

It's weird, did you guys do a lot of maintenance back when this happened? So we seem to have a windows of when this was ok before and after, pointing to a local issue?

Nevertheless, I shall vow to clean this up. :)


Cheers,
Franco
August 08, 2016, 08:17:42 PM #5
Hi France

It's difficult to say exactly when this started, I have a recollection that it was about four months ago. As I mentioned I didn't use the UI much as everything was running fine and this problem only rarely occurred. After the upgrade to 16.7 I was testing some firewall rule changes and that involved opening the web UI frequently (I normally logged out or rebooted after the changes) After about every fourth login I saw the error message in my first post. I've since resolved my little investigation and changes so I've been using the UI less and the message hasn't appeared since I reported it - I don't know if that helps much.
Regards


Bill
February 02, 2017, 10:05:24 PM #6
Took a while, but now with 17.1.1 we're switching to a token per session, so unless your session is expired or the box is rebooted it will work: https://github.com/opnsense/core/commit/f20640d0b69113
February 03, 2017, 02:22:48 PM #7
Hi Franco

This has only happened once on 17.1 so it's no big problem for me, thanks for the update. :)
Regards


Bill
Print
Go Up Pages1
User actions