Reforis: login not possible, Forbidden CSRF token missing or incorrect


I cannot log into the reforis GUI of my router.
After entering the password I see “Forbidden CSRF token missing or incorrect.”

This is somewhat a deadlock, as I have to confirm the updates in reforis.

There is a bug: Fix CSRF token missing or incorrect (#323) · Issues · Turris / reForis / reForis · GitLab

For me this is 100% reproducible. I tried it with linux/firefox and macos/safari browser

Foris, where I can login says:

|Turris OS version |5.2.3|
|Turris OS branch |hbs|

My linux browser is configured to delete all cookies and website data when I close it, so I guess this prevents old data being used. I do not know howto proceed from here, could you please help?

Hi @frank,

Unfortunately this issue keeps appearing from time to time :frowning:

Could you please provide exact version of Firefox and Safari browser you used, so we could try to reproduce it?
Also which Linux distribution and Mac OS version?
Have you tried other chromium-based browsers?

Try this, the Turris OS GUI shouldn’t be involved in the problem:
The guide refers to another service, but the problem and the solution are the same.


in linux this was firefox 78.11.0esr (64-bit) on debian 11.
Safari was 12.1.2 MacOS 10.12.6

I tried here other browsers I had installed and this one did let me in:
Google Chrome Version 80.0.3987.116 (Official Build) (64-bit)

Hi, thank you. I see a Cookie being set “some seconds ago”, so this does not seem to be the problem.

Tried a new anonymous window in Firefox? So all extensions should be disabled. Maybe an extension prevents the correct creation of the cookie. I am with Firefox 90.0 on Arch Linux and I can log in without any problem.

I tried it now and got “Forbidden CSRF token missing or incorrect.".

So I think it is some sort of incoompability of the GUI and certain versions of browsers.

I found out today, that I have a chrome install which works, so I can use that to manage my turris for the time being.

I tried ESR versions (78.11.0 and 78.12.0) of Firefox on Slackware Linux (another classic distro like Debian :wink:) and cookie is set correctly.

Even after closing and opening Firefox again with “delete all cookies and website data when I close it” configuration, it works fine.

Could you try it with new firefox profile?
Maybe there is something odd with Firefox shipped by Debian.


I tried on debian 11 with a private window and there is the same result. Isn’t this a fresh profile?

I tried on a new machine where I have probably never started firefox before (and without any addons installed ) and I cannot log in:

This is using ubuntu “focal”

firefox 86.0+build3-0ubuntu0.20.04.1

Private window in firefox still uses your current browser profile (history, configuration, extensions, etc.).

To check if reforis works with the usual firefox configuration or does not work regardless of configuration, you would have to create brand-new profile.

See Profile Manager - Create, remove or switch Firefox profiles | Firefox Help

As to updates, confirming them in reForis isn’t the only option: you could simply SSH to your router and let them execute by “pkgupdate” command.


I created a new user on my system using adduser and started firefox as this new user and could not login. firefox 78.11.0esr (64-bit) on debian 11.

Ok thank you, nice to know


that is really odd.

I tried both Firefox 86.0 on Ubuntu Focal and 78.12.0.esr on Debian 11 and with basic configuration (i.e. default profile) and cookie is set fine, thus I can successfully log in and use reForis.

Although I tried both as virtual machines, not on real HW. Perhaps this might be HW related.

Extensions and additional configuration related to cookies might interfere with CSRF protection, but with default profile it should work fine.

So I would suggest upgrading to latest Firefox (78.12.0 esr in case of Debian Linux) and see if that helps.
We have encountered few issues with Firefox and reforis before. Most of the time it was caused by the specific Firefox versions and was fixed in later releases.

Are you able to log in to Foris or is broken too?

I can login into Foris and luci.

I updated and tried it with firefox-esr 78.12.0esr-1 and cannot login into reforis.

Would a pcap File of a connection attempt help?

I have no idea what I do here - and please tell me if I should change my router password now- fuzzy name matching and clicking brings me to this screen:

This is from the new user with the new firefox.

Ah and I see that I installed ublock origin as debian package, so it is always there… Might this be the problem? After deinstalling ublock still the same:

And I retried it after clearing cookies and website data and still no login

Did the network traces help in understanding the problem?