Bad Request - Security Component (Cakephp 3)

I have a project on my localhost that uses the Security Component and everything works fine. I have the same project duplicated and its the other way round. All the forms, except the login is being blackholed.

Here’s what my setup looks like.


* @return void
public function initialize() {



public function initialize() {
    $this->Auth->allow(['logout', 'register', 'forgotPassword', 'resetPassword', 'activateAccount']);

public function beforeFilter(Event $event) {
    $this->Security->setConfig('csrfUseOnce', true);
    $this->Security->setConfig('unlockedFields', ['payment_action', 'g-recaptcha-response']);
    $this->Security->setConfig('blackHoleCallback', 'blackhole');

I’ve confirmed that the csrf is generated as hidden field along with _Token fields (same as in the other project, but it just doesn’t work

No fields are generated statically, no names are overidden, forms are generated using
Forms are closed using

Here’s an example of the a form, its got just one field, but it is always bllackholed

<?= $this->Form->create($user, ['id' => 'tfaForm', 'class' => "form-horizontal form-material", 'autocomplete' => 'off']); ?>
   <div class="form-group ">
      <div class="col-xs-12 col-md-3">
        <?= $this->Form->text('tfa', ['labelOptions' => false, 'class' => 'form-control', 'placeholder' => "6  digit Code", 'autofocus']); ?>
	<div class="form-group m-t-10">
	    <div class="col-xs-12 col-md-4">
            <?= $this->Form->button('Submit', ['class'= > 'btn waves-effect waves-light btn-primary btn-sm']); ?>
<?= $this->Form->end(); ?>

The validatePost() method of the Security Component keep returning false. Is there something I’m not getting? I would appreciate a technical explanation.

Thanks in advance.