"CSRF token mismatch" (Cake 3.7.9)

I’ve read through the other topics with this same issue but none apply to my situation.

  1. I am getting this error from standard form posts (no AJAX at the moment).
  2. I am using the middleware like this:
->add(new CsrfProtectionMiddleware([
    'httpOnly' => true

I can verify that the form contains the CSRF token and that it matches my browser’s cookie.

However, I can also verify that I’m losing the $post variable when the middleware is run through its second pass (the response side). I’m debugging here:

vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php (Line 198)

protected function _validateToken(ServerRequest $request)
    $cookies = $request->getCookieParams();
    $cookie = Hash::get($cookies, $this->_config['cookieName']);
    $post = Hash::get($request->getParsedBody(), $this->_config['field']);
    $header = $request->getHeaderLine('X-CSRF-Token');

    if (!$cookie) {
        throw new InvalidCsrfTokenException(__d('cake', 'Missing CSRF token cookie'));
    # var_dump($post); var_dump($cookie);
    if (!Security::constantEquals($post, $cookie) && !Security::constantEquals($header, $cookie)) {
        throw new InvalidCsrfTokenException(__d('cake', 'CSRF token mismatch.'));
  • On the first pass, the values match.
  • On the second pass, $post is null.

What could cause this?