Reforis: login not possible, Forbidden CSRF token missing or incorrect

frank · July 26, 2021, 8:13am

Hi,

I cannot log into the reforis GUI of my router.
After entering the password I see “Forbidden CSRF token missing or incorrect.”

This is somewhat a deadlock, as I have to confirm the updates in reforis.

There is a bug: Fix CSRF token missing or incorrect (#323) · Issues · Turris / reForis / reForis · GitLab

For me this is 100% reproducible. I tried it with linux/firefox and macos/safari browser

Foris, where I can login says:

|Turris OS version |5.2.3|
|Turris OS branch |hbs|

My linux browser is configured to delete all cookies and website data when I close it, so I guess this prevents old data being used. I do not know howto proceed from here, could you please help?

mmtj · July 26, 2021, 9:57am

Hi @frank,

Unfortunately this issue keeps appearing from time to time

Could you please provide exact version of Firefox and Safari browser you used, so we could try to reproduce it?
Also which Linux distribution and Mac OS version?
Have you tried other chromium-based browsers?

lucenera · July 26, 2021, 10:30am

Try this, the Turris OS GUI shouldn’t be involved in the problem: https://todoist.com/help/articles/csrf-token-error-messages
The guide refers to another service, but the problem and the solution are the same.

frank · July 26, 2021, 11:12am

Hi,

in linux this was firefox 78.11.0esr (64-bit) on debian 11.
Safari was 12.1.2 MacOS 10.12.6

I tried here other browsers I had installed and this one did let me in:
Google Chrome Version 80.0.3987.116 (Official Build) (64-bit)

frank · July 26, 2021, 11:19am

Hi, thank you. I see a Cookie being set “some seconds ago”, so this does not seem to be the problem.

lucenera · July 26, 2021, 11:22am

Tried a new anonymous window in Firefox? So all extensions should be disabled. Maybe an extension prevents the correct creation of the cookie. I am with Firefox 90.0 on Arch Linux and I can log in without any problem.

frank · July 26, 2021, 11:28am

I tried it now and got “Forbidden CSRF token missing or incorrect.".

So I think it is some sort of incoompability of the GUI and certain versions of browsers.

I found out today, that I have a chrome install which works, so I can use that to manage my turris for the time being.

mmtj · July 26, 2021, 3:16pm

I tried ESR versions (78.11.0 and 78.12.0) of Firefox on Slackware Linux (another classic distro like Debian ) and cookie is set correctly.

Even after closing and opening Firefox again with “delete all cookies and website data when I close it” configuration, it works fine.

Could you try it with new firefox profile?
Maybe there is something odd with Firefox shipped by Debian.

frank · July 26, 2021, 3:52pm

Hi,

I tried on debian 11 with a private window and there is the same result. Isn’t this a fresh profile?

I tried on a new machine where I have probably never started firefox before (and without any addons installed ) and I cannot log in:

This is using ubuntu “focal”

firefox 86.0+build3-0ubuntu0.20.04.1

mmtj · July 26, 2021, 5:50pm

Private window in firefox still uses your current browser profile (history, configuration, extensions, etc.).

To check if reforis works with the usual firefox configuration or does not work regardless of configuration, you would have to create brand-new profile.

See Profile Manager - Create, remove or switch Firefox profiles | Firefox Help

jada4p · July 26, 2021, 7:01pm

As to updates, confirming them in reForis isn’t the only option: you could simply SSH to your router and let them execute by “pkgupdate” command.

frank · July 28, 2021, 1:12pm

Hi,

I created a new user on my system using adduser and started firefox as this new user and could not login. firefox 78.11.0esr (64-bit) on debian 11.

frank · July 28, 2021, 1:12pm

Ok thank you, nice to know

mmtj · July 28, 2021, 3:27pm

Hi,

that is really odd.

I tried both Firefox 86.0 on Ubuntu Focal and 78.12.0.esr on Debian 11 and with basic configuration (i.e. default profile) and cookie is set fine, thus I can successfully log in and use reForis.

Although I tried both as virtual machines, not on real HW. Perhaps this might be HW related.

Extensions and additional configuration related to cookies might interfere with CSRF protection, but with default profile it should work fine.

So I would suggest upgrading to latest Firefox (78.12.0 esr in case of Debian Linux) and see if that helps.
We have encountered few issues with Firefox and reforis before. Most of the time it was caused by the specific Firefox versions and was fixed in later releases.

Are you able to log in to Foris or is broken too?

frank · July 29, 2021, 5:45am

I can login into Foris and luci.

I updated and tried it with firefox-esr 78.12.0esr-1 and cannot login into reforis.

Would a pcap File of a connection attempt help?

I have no idea what I do here - and please tell me if I should change my router password now- fuzzy name matching and clicking brings me to this screen:

This is from the new user with the new firefox.

Ah and I see that I installed ublock origin as debian package, so it is always there… Might this be the problem? After deinstalling ublock still the same:

And I retried it after clearing cookies and website data and still no login

frank · August 12, 2021, 7:08am

Did the network traces help in understanding the problem?