I've got the same issue! The provided 'workaround' works for me.

Did they got that message after the login? Than it maybe comes from the last sec fix which refresh the session after login?

Yes, they got the message after the login.

After cleaning all the cache and turning back on all the caching modes, including system - page cache, all users would instantly get this message on a fresh incognito mode browser, even if they have not logged in within a couple of days. As soon as I turn off system - page cache plugin it will stop and allow them to login correctly.

@genesisfan What work around are you using or are you just disabling the same plugin as me?

@tehstun I´ve disabled the plugin and changed the cache policy from ON conservative to ON progressive.

Thanks @genesisfan this is the same thing I came to conclusion of doing.

Hi

I get the same error, i.e. "The most recent request was denied because it contained an invalid security token. Please refresh the page and try again" when logging into the administrator page of my Joomla website. I have two-factor authentication set (using Google Authenticator app on my phone). Refreshing the page works, proving that the security token wasn't invalid?

Is this a different way of triggering the bug? But is it the same underlying issue?

I'm a newb with Joomla, so I have no idea at this stage! Thanks!

I'm getting invalid security tokens everywhere I try.

Easiest test, set up Global Configuration > Server > Mail Settings and press the "Send Test Mail" button.

Messing around in Session - I can't seem to tease the token out of JInput at all - and looking at the request, it appears that the token is sent as an X-CSRF-Token header and not a form input.

Could be related to #18821

that issue is for J4 - this report is for j3

The fix I did before is the one that was in place until I left the company, sorry I cannot be of any more help.

Dangit! Sorry - I'm looking at J4 issues - sorry for muddying the water

I am getting this exact same issue in J3.8.5.

When you are using system page cache plugin

• the security token is created for the 1st visitor that will visit the page that contains login form

(= the first visitor that the cache will be updated after expiring)

so only the 1st visitor to update the page cache will be able to login (if this 1st visitor tries to login)

I do not of how this should be fixed
but if you want to use page cache plugin and also login at frontend

• do these

1. Remove all login modules from showing in all pages (or add it in just 1 or 2 pages)
2. Create a login form menu item
3. Exclude login form menu item from being cached in the settings of page cache plugin (also you can exclude the 1 or 2 pages that you have decided to show in the login module)

Also another solution for having login form in all pages

• is if you install a login module (do not ask me to suggest one) that will show com_users login form in a modal window having inside an iframe that will load the com_users login view, then you can exclude this URL in system page cache plugin

Maybe this issue / behaviour should be documented somewhere, and some warning should be added in the page cache plugin too.

Once i tried to add some more description to the plugin but , eventually not even 1 sentense of my text was accepted.

If you have gzip enabled, see if #25823 helps.

Thank you for raising this issue.

Joomla 3 is now in security only mode with no further bug fixes or new features.

As this issue doesn't relate to Joomla 4 it will now been closed.

If we are mistaken and this does apply to Joomla 4 please open a new issue (and reference this one if you wish) with updated details for testing in Joomla 4.
cc @zero-24