October: Invalid security token error when login in backend.

Agree, I have the same issue, but sometimes only and it is not bothering me...

This could happen if you leave the login page open for too long without refreshing the security token by reloading the page before trying to login. @immeyti do you still get the error even if you reload the login page immediately before logging in?

tnx
open in new tab and logging.

@immeyti did my suggestion work for you?

I opened a new tab in the same browser and signed in backend
About your suggestion i think i didnt understood it well:/ but i find out that this problem could be about sessions.

@immeyti basically there is a security token that is tied to user sessions that is rendered in the markup for the page to prevent cross-site scripting attacks. If you try to login when your login page has been open for a while without refreshing the page first (regenerating the token), then you will be denied because the token that you have on that page is too old and has expired.

I'm going to close this issue since it sounds like that was the problem

Hi @LukeTowers,

I was facing the same issue. I don't know if this exists in docs, but using OCTOBER_SESSION_SECURE throws the same error (yes, localhost is not https).

It could be for help to someone :)

@brunocascio I'm not sure I understand what you're encountering or what you proposed as a solution

Just a comment for future troubles related to csrf in dev environments 😀

Guys, but what if I can't refresh the page and get a new token? I have a work in progress, a dozen of files in the editor. The changes will be lost.

@u07 you could load a new page to get your updated security token and then take that token and edit the HTML of the page you're on to insert it into the hidden input element with the name _token and then when you click save the AJAX request will use that new token to authorize the save request.

Or just copy and paste all of the in progress work to text files on your computer and then copy and paste them back. You should probably save more often :)

Yeah, that's a solution, kind of. But can't it happen automagically? Requesting and updating the token like every 1h?

@u07 as far as I'm aware that would defeat at least one of the purposes of the token. If you need the timeout to be longer, then you should be able to change how long your sessions last in config/sessions.php

@LukeTowers isn's that just a login cookie lifetime? cms.php says: session have a limited time (see session.lifetime) in case "back-end login remember" is False. Since it's True in my case, the cookie never expires. But the token does.

No, the session lifetime is for the session. The cookie is just to allow you to reauthorize even when your session has expired without having to login again. So the cookie is what will get you a new session token, but changing the session lifetime is what will help prevent your first session token from expiring in the first place.

Hi @LukeTowers

Is there a workaround with the "Invalid security token" issue. I just ran into it for the first time and tried your suggestions as stated above but it still throws the same error and rather blocking me from navigating on the backend

@sammyaltron try asking for help on the discord, this issue is usually always related to your server configuration vs the October configuration

$ php artisan cache:clear solves this issue to me.