Note: AT&T blocks this on some newer firmware unless the Referer header matches http://hotspot.webui/index.html . The hotspot.webui login for AT&T is a case of "enterprise expectations running on embedded hardware." If you are stuck in a login loop, 90% of the time it is DNS (use IP) or Session timeout (hard refresh) . The remaining 10% is the AT&T firmware bug requiring a SIM-less boot.
You type the correct password, click login, and the page simply reloads with ?error=auth but no "wrong password" message. This is not a password error; it's a stale CSRF token. hotspot.webui login att
The UI tries to load the "Cellular Status" widget simultaneously with the login challenge. The status widget times out (waiting for the modem to respond), which crashes the session_mgr daemon. The result: You log in, see the dashboard for 2 seconds, and get kicked back to hotspot.webui/login.html . Note: AT&T blocks this on some newer firmware