Form submit never reaching controller action?


I’ve had a website running using CakePHP 3 for over 6 months now.

All of a sudden, all of the forms on my webpages stopped working, such that whenever you submit one, nothing happens (controller action doesn’t get called) but you are redirected to the home page. I am indeed generating the form using CakePHP’s provided FormHelper.

Is there anything anyone can think of that could be causing this?

I was initially using the CSRF and Security components, and submitting a form would give this error to users in non-debug mode:

The request has been black-holed
Error: The requested address ‘/’ was not found on this server.

The error’s call stack logged is as below:

2016-12-16 22:51:43 Error: [Cake\Controller\Exception\AuthSecurityException] The request has been black-holed
Request URL: /
Referer URL:
Stack Trace:
#0 /home/public/vendor/cakephp/cakephp/src/Controller/Component/SecurityComponent.php(130): Cake\Controller\Component\SecurityComponent->_validatePost(Object(App\Controller\PagesController))
#1 /home/public/vendor/cakephp/cakephp/src/Event/EventManager.php(422): Cake\Controller\Component\SecurityComponent->startup(Object(Cake\Event\Event))
#2 /home/public/vendor/cakephp/cakephp/src/Event/EventManager.php(391): Cake\Event\EventManager->_callListener(Array, Object(Cake\Event\Event))
#3 /home/public/vendor/cakephp/cakephp/src/Event/EventDispatcherTrait.php(78): Cake\Event\EventManager->dispatch(Object(Cake\Event\Event))
#4 /home/public/vendor/cakephp/cakephp/src/Controller/Controller.php(501): Cake\Controller\Controller->dispatchEvent(‘…’)
#5 /home/public/vendor/cakephp/cakephp/src/Http/ActionDispatcher.php(117): Cake\Controller\Controller->startupProcess()
#6 /home/public/vendor/cakephp/cakephp/src/Http/ActionDispatcher.php(96): Cake\Http\ActionDispatcher->_invoke(Object(App\Controller\PagesController))
#7 /home/public/vendor/cakephp/cakephp/src/Http/BaseApplication.php(83): Cake\Http\ActionDispatcher->dispatch(Object(Cake\Network\Request), Object(Cake\Network\Response))
#8 /home/public/vendor/cakephp/cakephp/src/Http/Runner.php(65): Cake\Http\BaseApplication->__invoke(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response), Object(Cake\Http\Runner))
#9 /home/public/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php(62): Cake\Http\Runner->__invoke(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response))
#10 /home/public/vendor/cakephp/cakephp/src/Http/Runner.php(65): Cake\Routing\Middleware\RoutingMiddleware->__invoke(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response), Object(Cake\Http\Runner))
#11 /home/public/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php(88): Cake\Http\Runner->__invoke(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response))
#12 /home/public/vendor/cakephp/cakephp/src/Http/Runner.php(65): Cake\Routing\Middleware\AssetMiddleware->__invoke(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response), Object(Cake\Http\Runner))
#13 /home/public/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php(81): Cake\Http\Runner->__invoke(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response))
#14 /home/public/vendor/cakephp/cakephp/src/Http/Runner.php(65): Cake\Error\Middleware\ErrorHandlerMiddleware->__invoke(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response), Object(Cake\Http\Runner))
#15 /home/public/vendor/cakephp/cakephp/src/Http/Runner.php(51): Cake\Http\Runner->__invoke(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response))
#16 /home/public/vendor/cakephp/cakephp/src/Http/Server.php(92): Cake\Http\Runner->run(Object(Cake\Http\MiddlewareQueue), Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response))
#17 /home/public/webroot/index.php(37): Cake\Http\Server->run()
#18 {main}

I attempted to see if removing the security/csrf component usage out would fix the problem, but then I just got the problem as I described at the beginning of the post (request not even reaching controller action).

All help/pointers are appreciated. Do let me know if certain additional information would be helpful.
Thanks in advance!


I found that CakePHP is not really the problem (not surprising as nothing was changed). It’s my ssl certificate using Let’s Encrypt. I disabled my automatic redirect to https and found that my forms worked fine on a non-encrypted connection. Looking into it, any help is welcome :stuck_out_tongue:


With further investigation, I found that the error is simply being caused by my form’s action always being submitted as ‘/’ instead of that defined in the form, which very well explains why the Security component gives me the error described when it is enabled (URL mismatch in POST data (expected ‘/login’ but found ‘/’)), and that I am redirected to my index otherwise.

I am currently looking through the call stack above, to find where exactly I’m losing the form’s specified action/url.

Edit: Here are debugs of the request from SecurityComponent.
Without SSL (+how it should look):

 [params => 
	[login => login, 
	 pass => [], 
	 controller => Users, 
	 action => login, 
	 plugin => , 
	 _matchedRoute => /:login/*,
	 _ext => , ], 
	 data => 
	 	[_csrfToken => *csrf*, 
	 	 username => user, password => pass, 
	 	 _Token => [fields => *fieldshash*, unlocked => , ],
	 query => [], 
	 cookies => [csrfToken => *csrf*, CAKEPHP => *sess*, dgss => *sess*, ], 
	 url => login, 
	 base => , 
	 webroot => /, 
	 here => /login, 
	 trustProxy => , ]

With SSL

[params => 
	[pass => 
		[0 => home, ], 
		controller => Pages, 
		action => display, 
		plugin => , 
		_matchedRoute => /, 
		_ext => , ], 
		data => 
			[_csrfToken => *csrf*, 
			 username => user, 
			 password => pass, 
			 _Token => [fields => *fieldshash*, unlocked => , ], 
		query => [], 
		cookies => [csrfToken => *csrf*, CAKEPHP => *sess*, dgss => *sess*, ], 
		url => , 
		base => , 
		webroot => /, 
		here => /, 
		trustProxy => , ]

You could see that the action at this point is root(/), instead of /login, I have no idea at the moment what is causing this, or if CakePHP is part of the issue in the first place.


How are you making the form opening tag? You might want to consider using the url option of $this->Form->create(...) to ensure you always get the URL you want and not the ‘current’ URL.


Hey, thanks for the reply. I have already tried specifying the url in there, it had no effect -> it was still getting “overridden” somewhere :\


If you look at the generated HTML is the / there? Or could there be redirects related to the SSL issues you were having.


no the form is generated correctly, something somewhere is going wrong when the form is submitted through https, changing the action before it reaches the SecurityComponent :\

So when the security component is active, it gives a URL mismatch as the url it expects is not ‘/’, and when it is not, the form simply submits to my home page (at root /) and thus nothing happens.

Edit: I suspect it may be something with Middleware. I’m not sure how it works or what is the use of it, but I will once I look into it. Figured I’d mention it in case it gave you a thought.

Also, it did start happening around when lets-nfsn repository was last modified, don’t think the changes would cause this but I suppose its possible (not very much a networking or CakePHP back-end expert just yet)


Ok. In situations like this it can be useful to use the network panel of your browser tools to capture any redirects that might be happening and hope that sheds some more light on what might be going on.


Alright will give that a try, see if it leads me to something new. Thanks a bunch. Will update the post if anything comes up.


I just setup TLS on NFSN and I am experiencing this exact same issue. When not using HTTPS, everything works fine. However, when I browse with HTTPS, CakePHP is routing everything as if the request was to “/” as opposed to what it should be, “/users/login” in my case.

Did you ever get anywhere with this?

Thanks in advance.


Hey! That does sound exactly like the problem I have. Unfortunately, I never got any further that I mention in this post…

The website this problem happened on first doesn’t necessarily require ssl so I’m just running it without for now, as I’ve been busy with other projects. However, I am currently using CakePHP for another project for a client, and if the problem reoccurs, then I will have to find the cause/solution!

Let me know if you find anything! Thanks and best of luck!


Thanks so much for checking in. I’m in basically the same situation, but I’d like to get SSL working. I will let you know if I figure anything out!

If anyone is able to assist in troubleshooting this, it would be much appreciated.



Hey, I just did some checks with the website on which ssl wasn’t working, and everything/ssl is working (with no changes from me) for some reason.

Also, there is now a post on the NFSN forums for an easier, single script to run for setting up Let’s Encrypt. I have gone ahead and swapped over to their script and everything still works. You should give that a try if you didn’t already.

This leads me to suspect CakePHP was not the problem here, even though I was led here from NSFN forums saying it doesn’t concern let’s encrypt :d. Not sure why it works now but I don’t want to spend time figuring it out right now, I’ll leave it be since it works!

Let me know if the “new” script gets it going for you. Best wishes.


Thanks for the update again.

I had disabled SSL, so after your post I re-enabled it, but unfortunately I am still seeing the same behavior with this site.

I created a new test site and copied my Cake source over to this one, and everything seems to work with SSL turned on. So, I guess I will be migrating everything to a new NFSN site.



My suspicion is incorrect webserver configuration (Maybe a misbehaving redirect/rewrite). What was the result of looking at your browser’s network panel (As suggested by @markstory)?


I’ve run into the same problem. Also with CakePHP and also on NFSN.

I tried moving my Cake source onto a fresh site, but that didn’t help. Watching the network panel before/during/after filling out a form shows nothing out of the ordinary, outside of the problem itself - I see my POST request, with the correct parameters, action, and url, only the ‘/’ page renders instead.

I created threads for it at the two links posted below, but so far haven’t heard back from anyone.


After some time, I started experiencing the same issue again with the newly created site. I’m still not sure what’s happening. Everything in my network panel seems normal as well.


Simple Cakephp Form and validation:


The issue fixed itself again and hasn’t happened in months at this point. Not sure what the deal was.