Jump to content
Sign in to follow this  

Invalid CSRF Protection Token

Recommended Posts

I am no longer able to save any settings, add any clients, make any payments, or make any changes at all in WHMCS right now. It just keeps logging me out and when I log back in it says Invalid CSRF Protection Token. I have googled this and reviewed other answers in the forums and they did not work for me.


I have tried:

1. adding session_name("WHMCS"); to the configuration.php file

2. disable Session IP Check under Setup > General Settings > Security tab

3. upgrading to newest version


The first one just made it worse. It put me in a logging in loop. I had to log in and then verify my password and then log in again then verify password. Just a loop.


The second two options could not be done because of the error I am asking about, Invalid CSRF Protection Token. This will not allow me to do those two things. How can I fix this issue? My client area (WHMCS) is at http://client.websmithguy.com. Any help is appreciated.

Share this post

Link to post
Share on other sites

You shouldn't be adding any session name to your configuration.php file, this can actually break the session.


From the description, it does sound like a session issue. Perhaps your session save path isn't read/writable?


I'd also suggest opening a ticket and our support guys can look at this for you.

Share this post

Link to post
Share on other sites

I realized this was related to another issue with sessions which I was having (https://help.whmcs.com/m/troubleshooting/l/678268-troubleshooting-login-problems). That article states that the issue comes up for 1 of 2 reasons:

  • Quote


    • - The configured session tmp path not being writeable
    • - The configured session tmp path being full



After doing phpinfo(), I realised my session.save_path was pointing to a non-existent directory. Had to edit my php.ini and set its value to /tmp.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Similar Content

    • By JesusSuarz
      I'm trying to get some way to query if a user is online.
      I don't want to know the current user.
      if not something you can define for example $clientid or $userid or $emailclient ...
      I am making an external site. and i need to work with user sessions. (I am making a remote connection with the api).
      this function does not currently exist in the api available.
      I've been seeing this: https://developers.whmcs.com/advanced/authentication/
      however I do not see that it allows to define the user.
      I was also seeing this: https://docs.whmcs.com/Sessions
      I was able to save the cookie in the database, however I can't find any way to identify the one that belongs to each user.
      any idea how I can get (which users are online?) ..
      (please nothing to do with smarty, only php).

      postdata: forget to tell the method I use to get user authentication in my application.
      create the following code for my application:
      I first make a connection to the api: https://developers.whmcs.com/api/authentication/
      soon ValidateLogin: https://developers.whmcs.com/api-reference/validatelogin/
      soon GetClientsDetails: https://developers.whmcs.com/api-reference/getclientsdetails/
      soon CreateSsoToken: https://developers.whmcs.com/api-reference/createssotoken/
      // validar usuario $command = 'ValidateLogin'; $postData = array( 'email' => $email_user, //post 'password2' => $password_user, //post ); $api_login = localAPI($command, $postData); //var de id de usuario: $api_login["userid"]; // si se encuentra el user entonces traer detalles del usuario via email $clientid = array(); // array que tiene el id del cliente if ($api_login["userid"] == true) { $command = 'GetClientsDetails'; $postData = array( 'email' => $email_user, // email login ); $details_client = localAPI($command, $postData); $clientid[] = $details_client["client_id"]; } // variable del clientid es: $clientid[0]; // crear token de session $command = 'CreateSsoToken'; $postData = array( 'client_id' => $clientid[0], ); $results_ssotoken = localAPI($command, $postData); echo '<pre>'; var_dump($results_ssotoken); echo '</pre>'; this will create the url with (CreateSsoToken) where the user will be redirected for autologin, however the cookie is created only after entering the client area. that's why I don't know how to get the cookie, or identify the user.
      @brian! would you help me with this?
    • By ichilver
      Is there a way in WHMCS to get a popup window to warn the logged in user that there session is about to timeout and log them out.
      Similar to when you are logged into your bank and it warns you are about to be auto logged out.
    • By devadok
      I'm developing an addon and inside the hooks.php, I have the following code:

      add_hook('AdminAreaHeaderOutput', 1, 'bnw_todo_itens'); function bnw_todo_itens($vars) { $check = true; // if session var exists, then check if we need to check again or not if (isset($_SESSION['todo_list_cache'])) { $last_checked = $_SESSION['todo_list_cache']; $now = time(); // do not check within 1 hour if (($now - $last_checked) < (60 * 60)) { $check = false; } } $adminid = $vars['adminid']; if ($check) { // check if there is any pending/new todo item $sql = "SELECT id, title, description, duedate, `status` "; $sql .= "FROM tbltodolist "; $sql .= "WHERE admin = " . $adminid . " "; $sql .= "AND `status` IN ('New', 'Pending') "; $sql .= "AND duedate <= '" . date('Y-m-d') . "' "; $sql .= "ORDER BY duedate "; $result = mysql_query($sql); while (($row = mysql_fetch_assoc($result))) { // create html } // updates the last checked time $_SESSION['todo_list_cache'] = time(); // returns the created html return $html; } }
      When a refresh the page and try to read the session var that I have set ($_SESSION['todo_list_cache']), the variable doesn't exist. Whenever I try debugging the $_SESSION, all I see is:
      [tkval] => Asd6a1sdfA3
      [adminid] => 123
      [adminpw] => 123123132123132123132123123
      Does anyboy know what can be wrong?
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated