[SOLVED] OPNsense UI login problem

[phoenix]

I'm seeing the following message occasionally when I try to login to the web ui:

Code: [Select]

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.It's only a temporary problem, I can login via the web ui without problem immediately after seeing that message. Is it a browser problem or an OPNsense problem? This did happen on the 16.1.x release but as I don't use the UI very often it didn't really matter, it's just that now I'm trying to find out the cause of a problem it's getting a bit annoying.

[Aadolf]

Code: [Select]

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.I saw this message too.

[franco]

This is a security mechanism that got elevated because it was simply too static. That happened some time mid-16.1. I still have work there, hopefully replacing the rest of the old CSRF protection cruft for something simpler and less trigger-happy.

The CSRF token is invalidated on web interface restart, so the login screen doesn't work anymore if left open from the previous boot. Non-reboot firmware updates trigger this too, as well as changing settings under System: Settings: Administration.


Cheers,
Franco

[phoenix]

Hi Franco

Thanks for the reply and the explanation. As I mentioned it's not really a great problem but at the time I posted I had to keep checking the UI and this was happening every other time I opened it. Anyway, since I posted this question this message has, naturally, stopped appearing. As long as it's nothing serious which was all I was bothered about. Thanks again and have a good day.

[franco]

Hi Bill,

It's weird, did you guys do a lot of maintenance back when this happened? So we seem to have a windows of when this was ok before and after, pointing to a local issue?

Nevertheless, I shall vow to clean this up.


Cheers,
Franco

[phoenix]

Hi France

It's difficult to say exactly when this started, I have a recollection that it was about four months ago. As I mentioned I didn't use the UI much as everything was running fine and this problem only rarely occurred. After the upgrade to 16.7 I was testing some firewall rule changes and that involved opening the web UI frequently (I normally logged out or rebooted after the changes) After about every fourth login I saw the error message in my first post. I've since resolved my little investigation and changes so I've been using the UI less and the message hasn't appeared since I reported it - I don't know if that helps much.

[franco]

Took a while, but now with 17.1.1 we're switching to a token per session, so unless your session is expired or the box is rebooted it will work: https://github.com/opnsense/core/commit/f20640d0b69113

[phoenix]

Hi Franco

This has only happened once on 17.1 so it's no big problem for me, thanks for the update.