Security Error: Invalid _CSRFToken
I am getting this error message using Google Chrome ONLY. It was working fine before and all of a sudden this keeps happening when I am uploading photos.
I cleared the browser history and cache and hard reloaded the page and the message still shows.
E_USER_NOTICE: Security Error: Invalid _CSRFToken. Try reloading or going back to previous page.
/home/tcfs/public_html/cmsAdmin/lib/common.php (line 2540)
Any help or suggestions please?
Sometimes I come across this error when there's an http/https mismatch, which is something that may differ between browsers. Can you try on chrome using the HTTPS url and let me know if that fixes the issue?
That is very curious that it would only happen in Chrome. Do you have another computer you could use to see if it's machine-specific? Or you can send us a 2nd-level support request (https://www.interactivetools.com/support/request/) with the instructions to reproduce the issue and we can try out a few browsers on our end. If it's happening in Chome in general, it'd be worth finding the source of the issue.
UPDATE: The issue is with using the Flash Uploader on Google Chrome.
I usually have about 10 photos to upload at one time so I use the flash uploader which makes it very easy to do this.
Since a few days ago, this issue started happening with the Security Error.
Is there an updated version to allow multiple file uploads at one time without using the flash uploader?
This error message has happened to me for years with CMSB and Chrome. Anytime I am in the middle of updating a record and don't save it within about 30 minutes, I get the error. I can open the record in a new tab, enter the data again and click save without error. I always thought of it as a sort of timeout error.
You're right in that this error can be due to a timeout; the CSRF token is stored in a session variable that will expire after ~24 minutes with default PHP settings. This particular case is a bit of an outlier as it's only happening in one browser, but if you see it pop up after a period of inactivity, it's likely due to the timeout. The PHP config setting that controls this is gc_maxlifetime (https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime) if you ever want to adjust it on your server. (Note: the name is a bit misleading; this is the number of seconds after which a session will be considered "expired," however, expired sessions aren't always cleaned up immediately, so they could remain active for longer)
I have noticed this issue come up for a number of users, so I've raised it internally to see if we can come up with a way to improve how we store this, and possibly reduce how often these false timeouts show up.
Thanks for the feedback!