As a Joomla user, you've likely experienced the "Invalid Token" error when logging into your site.
You've probably had questions about it from users or customers who wanted it resolved.
In the following tutorial, we'll cover what it is and how to resolve it. Unlike other solutions you might find, this won't involve a core hack and it won't compromise your site's security.
What is "Invalid Token"? And why does it happen?
Joomla adds security tokens to forms. The security tokens keep sites safe from most Cross Site Request Forgery (CSRF) attacks.
When a page is accessed, if the token is not current, the error occurs.
Unfortunately, often times false negatives occur for legitimate users.
Here are some example cases when false negatives might occur:
- A user accesses the administrative page, then logins in. Upon logging in, the "Invalid Token" message appears.
- A user has a tab open with the login page from the night before. The user tries logging in and gets the "Invalid Token" message.
- A user clicks on a promotional link within an email. The user then fills out the form on the site and gets the "Invalid Token" message.
Steps to replicate the error
The easiest way to replicate the error is to try the following steps:
- Open a login page
- In a new tab in the same browser, open the same login page and log in
- Go back to the first tab and try logging in. You'll get the "Invalid Token" message
Fix #1: Redirect subdomain
Unless you need subdomains, make sure that your site uses only "one" domain.
By default, most web hosts make it so that you can access your site using a www or non-www address. Make sure you redirect one to the other. If you need a tutorial for this, we have a good one here.
The above trick will prevent the most common administrator "Invalid Token" messages.
Fix #2: Increase your session lifetime
The session lifetime determines how long a user stays logged in when inactive. It's a security feature in case someone leaves their computer in a public area.
For example, let's say an administrator leaves the default session lifetime of 15 minutes. If 15 minutes goes by and the user hasn't had any activity on the site, Joomla will log them out.
Let's say a user is filling out a form and gets interrupted by a family member. Then the user comes back to the computer 20 minutes later. They'll get the "Invalid Token" message upon submission. The reason is that their token has expired at that point. The session was closed automatically by Joomla.
Here are two times to consider increasing your session lifetime:
- If your site doesn't have sensitive information
- And if your users aren't likely to be accessing your site from a public computer (ex. public library computer).
On some of our sites, we have it set to 2880 (minutes), which translate to two days. What you should set yours to depends on your users.
Increasing the session lifetime will result in fewer "Invalid token" messages for legitimate users.
Fix #3: Friendly message
The "Invalid Token" message is confusing and can be frustrating. Most users don't know what it means.
After installing it, go to:
- Extensions (top menu)
- Plugin Manager (sub menu)
- Search for the "System - Invalid Token Interceptor" plugin and click on it
- Set the status to enabled and add your message. For example, I'm using "Sorry, there was an error. Please retry your request." for the error message.
- Save & Close
Now try the "steps to replicate the error" section again. You should see your 404 page display, plus your error message. You'll also have your site's navigation.
Fix #4: Contact the developer
If the "Invalid Token" message is appearing on a certain extension, contact the developer.
Ask them to check and make sure that their forms are adding the security token. You can provide them with this Joomla documentation.
The "Invalid Token" message is part of a security feature for Joomla. It often gets in the way of legitimate users though.
Using the above steps, you mitigate its occurrence for users.