The CSRF token is invalid Please try to resubmit the form

Question

I m getting this error message every time I try to submit the form      The CSRF token is invalid  Please try to resubmit the form   My form code is this    lt form novalidate action    path  signup index      method  post    form enctype form    role  form  class  form-horizontal  gt       lt div class  form-group  gt             form label form email   Email     label attr     class    col-md-1 control-label                   form widget form email    attr     class    col-md-2                   form errors form email          lt  div gt        lt div class  form-group  gt             form label form nickname   Nickname     label attr     class    col-md-1 control-label                   form widget form nickname    attr    class    col-md-2                   form errors form nickname    attr     class    col-md-3             lt  div gt       lt div class  form-group  gt             form label form password   password     label attr     class    col-md-1 control-label                   form widget form password    attr     class    col-md-2                   form errors form password    attr     class    col-md-3             lt  div gt        lt div class  form-group  gt             form label form password repeat   Repeat password     label attr     class    col-md-1 control-label                   form widget form password repeat    attr    class    col-md-2                   form errors form password repeat    attr     class    col-md-3             lt  div gt       lt div class  form-group  gt           lt div class  col-md-1 control-label  gt           lt input type  submit  value  submit  gt       lt  div gt        lt  div gt   lt  form gt    Any ideas

User · Answer

This happens because forms by default contain CSRF protection, which is not necessary in some cases.

You can disable this CSRF protection in your form class in getDefaultOptions method like this:

// Other methods omitted

public function getDefaultOptions(array $options)
{
    return array(
        'csrf_protection' => false,
        // Rest of options omitted
    );
}

If you don't want to disable CSRF protection, then you need to render the CSRF protecion field in your form. It can be done by using {{ form_rest(form) }} in your view file, like this:

<form novalidate action="{{path('signup_index')}}" method="post" {{form_enctype(form)}} role="form" class="form-horizontal">
    <!-- Code omitted -->

    <div class="form-group">
        <div class="col-md-1 control-label">
            <input type="submit" value="submit">
        </div>

    </div>
    {{ form_rest(form) }}
</form>

{{ form_rest(form) }} renders all fields which you haven't entered manually.

User · Answer

Before your  lt  form gt  tag put      form rest form       It will automatically insert other important  hidden  inputs

User · Answer

You need to remember that CSRF token is stored in the session  so this problem can also occur due to invalid session handling  If you re working on the localhost  check e g  if session cookie domain is set correctly  in PHP it should be empty when on localhost

User · Answer

I faced a similar issue  After ensuring the token field was actually rendered  see accepted answer  I checked my cookies  There were 2    cookies for the domain in my Chrome browser  apparently because I was running the application on the same domain as another app  but with a different port  i e  mydomain com set the original cookie while the buggy app was running on mydomain com 123  Now apparently Chrome sent the wrong cookie so the CSRF protection was unable to link the token to the correct session   Fix  clear all the cookies for the domain in question  make sure you don t run multiple applications on the same domain with differing ports

User · Answer

I hade the same issue recently  and my case was something that s not mentioned here yet   The problem was I was testing it on localhost domain  I m not sure why exactly was this an issue  but it started to work after I added a host name alias for localhost into  etc hosts like this   127 0 0 1        foobar   There s probably something wrong with the session while using Apache and localhost as a domain  If anyone can elaborate in the comments I d be happy to edit this answer to include more details

User · Answer

In addition to others  suggestions you can get CSRF token errors if your session storage is not working   In a recent case a colleague of mine changed  session prefix  to a value that had a space in it   session prefix   My Website    This broke session storage  which in turn meant my form could not obtain the CSRF token from the session

User · Answer

You need to add the  token in your form i e    form row form  token      As of now your form is missing the CSRF token field  If you use the twig form functions to render your form like form form  this will automatically render the CSRF token field for you  but your code shows you are rendering your form with raw HTML like  lt form gt  lt  form gt   so you have to manually render the field  Or  simply add    form rest form     before the closing tag of the form   According to docs This renders all fields that have not yet been rendered for the given form  It s a good idea to always have this somewhere inside your form as it ll render hidden fields for you and make any fields you forgot to render more obvious  since it ll render the field for you    form rest view  variables

User · Answer

This seems to be an issue when using bootstrap unless you are rendering the form by    form form     In addition  the issues seems to only occur on input type  hidden   If you inspect the page the with the form  you ll find that the hidden input is not part of the markup at all or it s being rendered but not submitted for some reason  As suggested above  adding   form rest form    or wrapping the input like below should do the trick    lt div class  form-group  gt       lt input type  hidden  name   csrf token  value     csrf token  authenticate       gt   lt  div gt

User · Answer

If you have converted your form from plain HTML to twig  be sure you didn t miss deleting a closing  lt  form gt  tag  Silly mistake  but as I discovered it s a possible cause for this problem   When I got this error  I couldn t figure it out at first  I m using form start   and form end   to generate the form  so I shouldn t have to explicitly add the token with form row form  token   or use form rest   to get it  It should have already been added automatically by form end     The problem was  the view I was working with was one that I had converted from plain HTML to twig  and I had missed deleting the closing  lt  form gt  tag  so instead of       form end form       I had    lt  form gt     form end form       That actually seems like something that might throw an error  but apparently it doesn t  so when form end   outputs form rest    the form is already closed  The actual generated page source of the form was like this    lt form gt       lt  -- all my form fields    -- gt   lt  form gt   lt input type  hidden  id  item  token  name  item  token   value  SQAOs1xIAL8REI0evGMjOsatLbo6uDzqBjVFfyD0PE4    gt   lt  form gt    Obviously the solution is to delete the extra closing tag and maybe drink some more coffee

User · Answer

I had this issue with a weird behavior  clearing the browser cache didn t fix it but clearing the cookies  that is  the PHP session ID cookie  did solve the issue   This has to be done after you have checked all other answers  including verifying you do have the token in a hidden form input field

User · Answer

In my case I got a trouble with the maxSize annotation in the entity  so I increased it from 2048 to 20048            Assert File         maxSize    20048k          mimeTypes     application pdf    application x-pdf           mimeTypesMessage    Please upload a valid PDF           private  file    hope this answer helps

User · Answer

I had the same error  but in my case the problem was that my application was using multiple first-level domains  while the cookie was using one  Removing cookie domain     domain   from framework session in the config yml caused cookies to default to whatever domain the form was on  and that fixed the problem

User · Answer

Also you can see this error message when your form has a lot of elements   This option in php ini cause of problem    How many GET POST COOKIE input variables may be accepted  max input vars   1000   Problem is that  token field misses PUT  GET  request  so you have to increase value   Also  it concerns a big files  Increasing the  upload max filesize   option will solve problem

User · Answer

I had this error recently  Turns out that my cookie settings were incorrect in config yml  Adding the cookie path and cookie domain settings to framework session fixed it

User · Answer

In case you don t want to use form row or form rest and just want to access value of the  token in your twig template  Use the following    lt input type  hidden  name  form  token   value     form  token vars value       gt

[php] The CSRF token is invalid. Please try to resubmit the form

Examples related to php

Examples related to symfony

Examples related to twig