Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Doesn't "checkToken()" function in Round-Robin in "Load Balancer"?

”checkToken()” which used Load Balancer in AWS didn't function. By what kind of idea is security check being performed?

    url: '/api/checkToken'
    type: 'POST',
    dataType: 'json',
    data: {
    success: function(json){
        case "ok":
          // processing...
        case "ng":
          // processing...
public function checkTokenAction()
  $tokenKey = $this->request->getPost("token_key");
  $token    = $this->request->getPost("token");

  header("Content-Type: application/json");
  if( $this->security->checkToken($tokenKey, $token) ){
        echo '{"status":"ok"}';
        echo '{"status":"error"}';


You can read the code to see understand better how it works:

Or it depends on way having it session information, and I decide. When managing at Database and memcached where you could synchronize, I found out that it's possible.

Thank you.

I know this has been answered but for google sake here is my small solution

One of the issue is the non persistent token in session due to checkToken() destroys session token variables.

A simple new security class

class Security extends \Phalcon\Security
    public function checkToken($tokenKey = null,$tokenValue = null, $destroyIfValid = false)
        return parent::checkToken($tokenKey,$tokenValue, $destroyIfValid);

service call

$di->set('security', function() {
        $security = new Security();
        return $security;
    }, true);

checkToken(null, null, false) will not destroy security Session variables, small implementation so you dont have to implement your own security algoritim.