CSRF Token Being Re-generated On Page Refresh
How Do I?
This morning, our install of EE (2.8.1) began displaying the “An Error Was Encountered. This form has expired. Please refresh and try again.” message on the search form and CP login.
After extensive digging and searching, we’ve traced things down to seeing that on every page load, the PHP session is being re-started and this is creating a new CSRF token / cookie. Since this is happening, any form (POST) action is giving us the above “form expired” error.
Any thoughts or causes for the PHP session to begin doing this?
The site has been working well since it’s launch about a month or so ago.
Thanks for anything help that can be provided.
I’ve seen this a few times before. Here are some ideas based on my own debugging list for login issues:
If you have wifi and a wired network connection, try disabling one, then the other. I have seen cases where a computer randomly switches between connections, invalidating the session immediately.
Add this (temporarily) to your config.php to turn off extensions, if you can login afterwards, one of your add-ons is to blame:
$config['allow_extensions'] = 'n';- Add this to your config.php to change to session-only logins:
$config['cp_session_type'] = 's';- If session-only logins still do not work, change the value like so in config.php to change to cookie-only logins then try the next few steps:
$config['cp_session_type'] = 'c';If you still can’t login you can use this to disable the CSRF but you don’t want to leave this on.
- Turn off form security in config.php:
$config['secure_forms'] = 'n';