New input lost when session expires or No _CSRFToken exist

3 posts by 2 authors in: Forums > CMS Builder
Last Post: January 13, 2023   (RSS)

By gkornbluth - January 8, 2023 - edited: January 8, 2023

Hi All,

I first approached this topic back in 2020 but it seems to have fallen through the cracks.

I know it’s good practice to automatically expire login sessions after 30 minutes or so, and it’s also a good practice to save changes often.

But a number of times my clients (and I) have written text directly into a text box, or made other changes to a section, and have been so caught up in the moment, or distracted before saving our work, that our sessions have timed out, or we’re told that a "Security Error: No _CSRFToken exists in session. Try reloading or going back to previous page". After an attempt to comply, the information is lost forever and we have to go back to square 1.

So, my question is:

Is optional autosave  for the current open page a possibility?

Any other thoughts are welcome.

Thanks and stay safe,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at:

By Dave - January 12, 2023

Hi Jerry, 

Yea, we can give some thought to that.  The problem is servers are sometimes configured to clear cookies before PHP does, so we can lose the login session at any time.

That part of the code is due for a rewrite, might have to be it's own version release.  Here are some thoughts and ideas I have about that: 

  • We could keep the user logged in with a background "heartbeat" connection.  Eg: we use javascript to ping the server once a minute to refresh the login token/cookie
  • We could check if the user is still logged in before submitting the form.  We'd need to figure out what to do if they're not then, such as a popup login form or something else.
  • I could write a debug plugin to test how long servers actually let us keep cookies for, this is something that would be useful to know so CMSB doesn't set the timeout to a greater value
  • We could look at caching form input before submission either client-side or server-side.

One workaround for this issue is to open another tab, login in that tab, and then refresh the original page.  But I think the _CSRFToken error happens when the server deletes the session/cookie before CMSB does.  

I'll give it some thought.  Let me know if you have any other input or ideas.

Dave Edis - Senior Developer