Security Error: Invalid _CSRFToken

9 posts by 4 authors in: Forums > CMS Builder
Last Post: April 2, 2020   (RSS)

By wevolutions - March 3, 2020

I am getting this error message using Google Chrome ONLY. It was working fine before and all of a sudden this keeps happening when I am uploading photos.

I cleared the browser history and cache and hard reloaded the page and the message still shows.

E_USER_NOTICE: Security Error: Invalid _CSRFToken. Try reloading or going back to previous page.

/home/tcfs/public_html/cmsAdmin/lib/common.php (line 2540)

Any help or suggestions please?

By daniel - March 3, 2020

Hi wevolutions, 

Sometimes I come across this error when there's an http/https mismatch, which is something that may differ between browsers. Can you try on chrome using the HTTPS url and let me know if that fixes the issue?


Technical Lead

By wevolutions - March 4, 2020

Both http and https give the same error. It does not happen with other browsers so I am guessing there may be some issue with my Google Chrome.

By daniel - March 5, 2020

Hi wevolutions,

That is very curious that it would only happen in Chrome. Do you have another computer you could use to see if it's machine-specific? Or you can send us a 2nd-level support request ( with the instructions to reproduce the issue and we can try out a few browsers on our end. If it's happening in Chome in general, it'd be worth finding the source of the issue.


Technical Lead

By wevolutions - March 5, 2020

It happens ONLY in Chrome and it is machine specific. Other computers and browsers work just fine. I cleared the cache many times, I deleted cookies, Google Chrome has the latest version running, I am not sure what to do again. I should figure it out soon enough.

By wevolutions - March 6, 2020

UPDATE: The issue is with using the Flash Uploader on Google Chrome.

I usually have about 10 photos to upload at one time so I use the flash uploader which makes it very easy to do this.

Since a few days ago, this issue started happening with the Security Error.

Is there an updated version to allow multiple file uploads at one time without using the flash uploader?

By KennyH - April 1, 2020

This error message has happened to me for years with CMSB and Chrome. Anytime I am in the middle of updating a record and don't save it within about 30 minutes, I get the error. I can open the record in a new tab, enter the data again and click save without error. I always thought of it as a sort of timeout error.


By daniel - April 2, 2020

Hi Kenny,

You're right in that this error can be due to a timeout; the CSRF token is stored in a session variable that will expire after ~24 minutes with default PHP settings. This particular case is a bit of an outlier as it's only happening in one browser, but if you see it pop up after a period of inactivity, it's likely due to the timeout. The PHP config setting that controls this is gc_maxlifetime ( if you ever want to adjust it on your server. (Note: the name is a bit misleading; this is the number of seconds after which a session will be considered "expired," however, expired sessions aren't always cleaned up immediately, so they could remain active for longer)

I have noticed this issue come up for a number of users, so I've raised it internally to see if we can come up with a way to improve how we store this, and possibly reduce how often these false timeouts show up.

Thanks for the feedback!

Technical Lead