Help, Cannot Login - No _CSRFToken exists error

16 posts by 6 authors in: Forums > CMS Builder
Last Post: January 21, 2015   (RSS)

By claire - January 16, 2015

I might have a workaround - I'll update your ticket in a sec.


Claire Ryan

Save time by getting our experts to help with your project.

By theclicklab - January 16, 2015

Hi mizrahi, have you got access to phpadmin through your host control panel, you might be able to make some basic edits that way. 

By claire - January 16, 2015

Hi all, for anyone who has an issue with this in the future - we've located the source of the problem. It's related to a particular session_write_close call in lib/database_functions.php that causes this error on some servers.

The solution is as follows:

update /lib/database_functions.php and replace all instances of this:


with this:


If you also have the Autobackup plugin installed, please make sure the backup folder is writeable.

Dave has updated the CMSB source code so the next release shouldn't have this issue. If anyone is still having problems, please post here!


Claire Ryan

Save time by getting our experts to help with your project.

By Djulia - January 17, 2015

Hi Claire,

Interesting, but that causes a warning with use session_start in our script.

" if (!isset($_SESSION)) { session_start(); } "

PHP Warning:  session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'

An idea?

I found this post: :


By Dave - January 19, 2015

Hi Djulia, 

I think that might be an unrelated problem, but we'll need to check it out to know for sure.

What was happening with the previous error is that the AutoBackup plugin was calling backupDatabase() which had an optimization to "close" sessions before long backup operations.  So all the patch does was "not" close sessions that were previously opened by CMSB.

If you want to print out what CMSB thinks the session name is you can add a debug line in /lib/init.php

// Initialize session
$session_name = cookiePrefix() . 'PHPSESSID'; // use a unique session cookie for each CMS installation
ini_set('', $session_name); // sets
die("ini_set('', $session_name)");

And check the cookie prefix value which comes from /data/settings.*.php and is stored in 'cookiePrefix'.

You could also check what the session name and ID is before that line:

print "session_name(): " .session_name(). "<br/>\n";
print "session_id(): " .session_id(). "<br/>\n";
if (!isset($_SESSION)) { session_start(); }

Actually, I'm not sure that we change session_id() at all.  Session_id is the name of the session file, and session_name of the cookie that stores the session_id.

If you'd like to  send server details to me at I can debug it for you.


Dave Edis - Senior Developer