J3 Issue ?
avatar tehstun
13 Sep 2016

Steps to reproduce the issue

I updated our site from 3.4.8 --> 3.6.0 --> 3.6.2. I had caching and System - Page Cache plugin turned on while this configuration is set. All users logging in get 'The most recent request was denied because it contained an invalid security token. Please refresh the page and try again.' error. After stopping both these processes from running and cleaning the cache / deleting, then turning it back on I still get the same issue.

Expected result

Users to be able to login while on the site without having any issues resolving around security tokens and caching, as I provide access to a fairly large and regular number of users.

Actual result

Users who login will obtain the information error ‘'The most recent request was denied because it contained an invalid security token. Please refresh the page and try again.’ Unless at least and System - Page Cache plugin is disabled and caching is set too progressive only.

System information (as much as possible)


Additional comments

I have also done the database fix on all stages of the updates.

Thanks for any help provided.


# of Users Experiencing Issue
Average Importance Score

avatar tehstun tehstun - open - 13 Sep 2016
avatar genesisfan
genesisfan - comment - 14 Sep 2016

I've got the same issue! The provided 'workaround' works for me.

avatar zero-24 zero-24 - change - 14 Sep 2016
Labels Added: ?
avatar zero-24
zero-24 - comment - 14 Sep 2016

Did they got that message after the login? Than it maybe comes from the last sec fix which refresh the session after login?

avatar genesisfan
genesisfan - comment - 14 Sep 2016

Yes, they got the message after the login.

avatar tehstun
tehstun - comment - 14 Sep 2016

After cleaning all the cache and turning back on all the caching modes, including system - page cache, all users would instantly get this message on a fresh incognito mode browser, even if they have not logged in within a couple of days. As soon as I turn off system - page cache plugin it will stop and allow them to login correctly.

@genesisfan What work around are you using or are you just disabling the same plugin as me?

avatar genesisfan
genesisfan - comment - 15 Sep 2016

@tehstun I´ve disabled the plugin and changed the cache policy from ON conservative to ON progressive.

avatar tehstun
tehstun - comment - 15 Sep 2016

Thanks @genesisfan this is the same thing I came to conclusion of doing.

avatar brianteeman brianteeman - change - 2 Oct 2016
Category Cache
avatar joomla-cms-bot joomla-cms-bot - change - 31 Jan 2017
The description was changed
avatar joomla-cms-bot joomla-cms-bot - edited - 31 Jan 2017
avatar llanverygranger
llanverygranger - comment - 31 Jan 2017


I get the same error, i.e. "The most recent request was denied because it contained an invalid security token. Please refresh the page and try again" when logging into the administrator page of my Joomla website. I have two-factor authentication set (using Google Authenticator app on my phone). Refreshing the page works, proving that the security token wasn't invalid?

Is this a different way of triggering the bug? But is it the same underlying issue?

I'm a newb with Joomla, so I have no idea at this stage! Thanks!

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12030.

avatar franz-wohlkoenig franz-wohlkoenig - change - 6 Apr 2017
Status New Confirmed
avatar franz-wohlkoenig franz-wohlkoenig - change - 8 Nov 2017
Status Confirmed Discussion
avatar stutteringp0et
stutteringp0et - comment - 14 Dec 2017

I'm getting invalid security tokens everywhere I try.

Easiest test, set up Global Configuration > Server > Mail Settings and press the "Send Test Mail" button.

Messing around in Session - I can't seem to tease the token out of JInput at all - and looking at the request, it appears that the token is sent as an X-CSRF-Token header and not a form input.

avatar stutteringp0et
stutteringp0et - comment - 14 Dec 2017

Could be related to #18821

avatar brianteeman
brianteeman - comment - 14 Dec 2017

that issue is for J4 - this report is for j3

avatar tehstun
tehstun - comment - 14 Dec 2017

The fix I did before is the one that was in place until I left the company, sorry I cannot be of any more help.

avatar stutteringp0et
stutteringp0et - comment - 14 Dec 2017

Dangit! Sorry - I'm looking at J4 issues - sorry for muddying the water

avatar stevesalt
stevesalt - comment - 15 Feb 2018

I am getting this exact same issue in J3.8.5.

avatar ggppdk
ggppdk - comment - 15 Feb 2018

When you are using system page cache plugin

  • the security token is created for the 1st visitor that will visit the page that contains login form

(= the first visitor that the cache will be updated after expiring)

so only the 1st visitor to update the page cache will be able to login (if this 1st visitor tries to login)

I do not of how this should be fixed
but if you want to use page cache plugin and also login at frontend

  • do these
  1. Remove all login modules from showing in all pages (or add it in just 1 or 2 pages)
  2. Create a login form menu item
  3. Exclude login form menu item from being cached in the settings of page cache plugin (also you can exclude the 1 or 2 pages that you have decided to show in the login module)

Also another solution for having login form in all pages

  • is if you install a login module (do not ask me to suggest one) that will show com_users login form in a modal window having inside an iframe that will load the com_users login view, then you can exclude this URL in system page cache plugin

Maybe this issue / behaviour should be documented somewhere, and some warning should be added in the page cache plugin too.

Once i tried to add some more description to the plugin but , eventually not even 1 sentense of my text was accepted.

avatar brianteeman brianteeman - change - 25 Mar 2018
Labels Added: J3 Issue
avatar brianteeman brianteeman - labeled - 25 Mar 2018
avatar SharkyKZ
SharkyKZ - comment - 13 Aug 2019

If you have gzip enabled, see if #25823 helps.

Add a Comment

Login with GitHub to post a comment