Can you suggest something better?

I guess the message should be simper.

Right now, I'm not even sure what "The security token did not match" means after 10+ years using Joomla. Plus, it's not actionable ... what's the solution for the user?

How about ...

"Sorry, but we weren't able to log you in. Please try again".

It's not just a login failure. I'll let others turn this into user friendly speak, but basically...

There is a CSRF token that gets submitted as a part of most actions (form submissions mainly, but you can do it in other places too) that validates that the request is actually coming from a valid user, then that token is validated against a source (usually the session). If that token doesn't validate, you get the token error message and the action you were aiming to do doesn't process (submit a contact form, log in, etc.).

I guess I'm wondering if any of that extra information is useful? These are the kind of details that could be an error log, not presented to a user

You should only ever see this message if you are trying to manipulate/abuse the system - I say it should be harsh... if "users" are acting like real users then it would be very very very rare that a User sees such a message

@PhilETaylor I see your point, although:

1. I wasn't trying to abuse anything
2. Is this message helpful, either for a non-savvy user or an abuser?

I mean the form didn't submit. And it's going to be for a abnormal reason (i.e. it's not typical invalid user input) - because a session token didn't match the token in their form.

There needs to be some sort of message on how to proceed to the user and an explanation of why the form failed to submit successfully.

That's why it says "please try again"

On 12 May 2017 4:08 p.m., "George Wilson" notifications@github.com wrote:

I mean the form didn't submit. And it's going to be for a abnormal reason
(i.e. it's not typical invalid user input) - because a session token didn't
match the token in their form.

There needs to be some sort of message on how to proceed to the user and
an explanation of why the form failed to submit successfully.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#15967 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8R8jWN1PHR0JkEIO9qgl1WH4aZT0ks5r5HYBgaJpZM4NYI7T
.

@stevejburge Can you replicate this issue over and over using "normal" user activity?

I can try, but have no idea what I did to cause the message to show.

Agree with @wilsonge on this: the message can give clearer feedback.

It's not that you necessarily did anything wrong, it could be something happened server side (the right data didn't write to the session) or your session timed out as examples. That's why it's hard to give a "good" message (in any platform), or even a context specific message, when there's a CSRF token validation error because generally you validate that token and immediately abort if that fails and the reason for that isn't something that you'll be able to explain in every scenario.

This message is popping up repeatedly for us if you want an example. We need to do 2 logins to get in almost every time. This message is an issue many are experiencing it is all over the threads for Joomla but no one seems to be coming up with a fix. You in no way need to be abusing the system to receive the message. This started occurring after the last 2 updates and has occurred in the past as well. I cant say I totally understand all the technical reason but every thread i have read says it due to plugins and other added feature that are not compliant to Joomla.
My question has always been the same on this issue. why does Joomla allow things that are not compliant to the core to be listed on their site it keeps happening though,

This message appears when "System - Page Cache" is enabled and when we try to login inside the front end of Joomla 3.7.3.

Message: "The security token did not match. The request was aborted to prevent any security breach. Please try again."

On the second login attempt the problem goes always, however the problem comes back when we log out and we try to login again.

It happens every time.

Does anyone knows why?

If I disable "System - Page Cache" the problem goes away.

Agree with @luispoll88 . Running 3.8.1 , using SClogin and the error message appears when cache is on. First login is successful. Every time after the first login failure.

Debugging
The Session::checktoken method : token:string(32) "6137a7cca78d58303846d7726a416b20" csrf:string(0) "" fallback:string(0) ""

The test token === csrf fails

Then you get the fallback token and then test for a new session , then OK. If no new session then return false. And of course the baseController::checkToken returns JINVALID_TOKEN_NOTICE. Always!! When cache is on. I don't get it.

SClogin? a third party extension?

Yes. Latest version.
I have a test site and using core login function it is working fine.

I suggest you go moan at SClogin developers then :) this page is for core Joomla only, we cannot be expected to support everyone elses problems :)

Well, I get that , but when I first commented I havn't tested core functions.

If I disable "System - Page Cache" the problem goes away.

What you need to realise is that Page cache is flatten your page and stores it as a file. If you need to use login in such a page you need to do it through AJAX/Javascript, there is nothing wrong with Joomla or any 3rd PD component/plugin/module here if those were designed to work with dynamic caching and you're forcing them to work (and rightfully they do fail) on static pages.

Page cache is disabled.

Closed for the reasons stated above #15967 (comment)

The System – Page Cache plugin is disabled on our site but we're able to reproduce the error message with the following process:

1. Log out
2. Have two tabs that are at the login screen
3. Log in to an account on one tab
4. Log in to the same account on another tab

It then takes me to the home page of my site with that same error message.