I updated our site from 3.4.8 --> 3.6.0 --> 3.6.2. I had caching and System - Page Cache plugin turned on while this configuration is set. All users logging in get 'The most recent request was denied because it contained an invalid security token. Please refresh the page and try again.' error. After stopping both these processes from running and cleaning the cache / deleting, then turning it back on I still get the same issue.
Users to be able to login while on the site without having any issues resolving around security tokens and caching, as I provide access to a fairly large and regular number of users.
Users who login will obtain the information error ‘'The most recent request was denied because it contained an invalid security token. Please refresh the page and try again.’ Unless at least and System - Page Cache plugin is disabled and caching is set too progressive only.
I have also done the database fix on all stages of the updates.
Thanks for any help provided.
No Code Attached Yet
Did they got that message after the login? Than it maybe comes from the last sec fix which refresh the session after login?
After cleaning all the cache and turning back on all the caching modes, including system - page cache, all users would instantly get this message on a fresh incognito mode browser, even if they have not logged in within a couple of days. As soon as I turn off system - page cache plugin it will stop and allow them to login correctly.
@genesisfan What work around are you using or are you just disabling the same plugin as me?
I get the same error, i.e. "The most recent request was denied because it contained an invalid security token. Please refresh the page and try again" when logging into the administrator page of my Joomla website. I have two-factor authentication set (using Google Authenticator app on my phone). Refreshing the page works, proving that the security token wasn't invalid?
Is this a different way of triggering the bug? But is it the same underlying issue?
I'm a newb with Joomla, so I have no idea at this stage! Thanks!
I'm getting invalid security tokens everywhere I try.
Easiest test, set up Global Configuration > Server > Mail Settings and press the "Send Test Mail" button.
Messing around in Session - I can't seem to tease the token out of JInput at all - and looking at the request, it appears that the token is sent as an X-CSRF-Token header and not a form input.
The fix I did before is the one that was in place until I left the company, sorry I cannot be of any more help.
Dangit! Sorry - I'm looking at J4 issues - sorry for muddying the water
When you are using system page cache plugin
(= the first visitor that the cache will be updated after expiring)
so only the 1st visitor to update the page cache will be able to login (if this 1st visitor tries to login)
I do not of how this should be fixed
but if you want to use page cache plugin and also login at frontend
Also another solution for having login form in all pages
Maybe this issue / behaviour should be documented somewhere, and some warning should be added in the page cache plugin too.
Once i tried to add some more description to the plugin but , eventually not even 1 sentense of my text was accepted.