Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

CSRF token, check failed - return only false


I have problem with csrf token.

In my form i have:

<input type='hidden' name='<?php echo $this->security->getTokenKey(); ?>' value='<?php echo $this->security->getToken(); ?>'/>

in controller, i check token with


and this return false only.

I have:

$di->setShared('session', function () { $session = new SessionAdapter(); $session->start();

return $session;


Edit: Hi, again. The problem exists when I'm redirected to the form page, and if I open it directly all work.

I open user/user, but i not logged and redirect me to login page->csrf no work; I open user/login direct and csrf is work.

Where is the problem?

i am not a bot, please


token checking is valid only once.

first time you execute checkToken() the token ( in the session ) will be removed. My guess is this is what is causing your problem


Hi @yanancom you must use getSessionToken() to get last token, or use checkToken( , ,false) use false at last param to not destroy if the token is valid

Good luck

Thanks for help, Emilio.