Todo #9799


Create custom CSRF callback page with proper theme & more warnings

Added by Jim Pingle over 2 years ago. Updated almost 2 years ago.

Web Interface
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


When a user triggers a CSRF error, either by accident (e.g. sitting on the login page for hours without submitting, then trying to log in), or by malicious means (e.g. unintentional submission from a malicious page), the presented page has two issues:

1. It's a plain/default page from CSRF magic, not themed to match pfSense
2. There is not enough warning text about submitting the "Try Again" button, since it may cause harm

The page can be customized by defining a custom callback function, as described in the CSRF Magic docs:

The configuration/function can be defined in before the include of CSRF Magic happens.

Actions #1

Updated by Jim Pingle over 2 years ago

CSRF Magic prevents attacks like the one described at -- but as with ANY action prevented by CSRF, if the user willingly chooses to resubmit the form, then the attack can still proceed.

Actions #2

Updated by Jim Pingle over 2 years ago

I just pushed the first pass at this. It functions, but could use some design work.

I'm considering removing the resubmit function at all, replacing it with a button/link to return to the previous page, if anything at all. While many times this error is encountered innocuously, the danger may not be worth allowing resubmission.

Actions #3

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle about 2 years ago

  • Target version changed from 2.5.0 to 2.4.5
Actions #5

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved

This is working as intended on 2.4.5.a.20191217.0637

If a client triggers a CSRF failure, they are presented with a nicely formatted error page.This error page requires two forms of confirmation to continue (checkbox+button push and an additional JS confirmation dialog).

Actions #6

Updated by Jim Pingle almost 2 years ago

  • Private changed from Yes to No

Also available in: Atom PDF