CSRF token mismatch


That means that you’ve got a post form that’s submitting an invalid CSRF token. See https://book.cakephp.org/3.0/en/controllers/middleware.html#csrf-middleware for more information.

If you would like any more help, you’re going to have to give us way more information that just a small snippet of a screenshot.

1 Like

It was ok before upgrade to 3.6.

I replaced bin and config dir
added src/Application.php

Error appear when i login. I use cakedc users plugin

Have you followed the full 3.6 migration guide?

I see you are still using the old CsrfComponent, you need to use the new middleware in 3.6

Based on that, I assume that you’ve used the default one, which automatically loads the middleware CSRF protector. This would clash with the component, and could quite easily cause the issue you are seeing.

1 Like

OK should i remove components from Appcontroller



You should remove loadComponent(‘Csrf’). It’s deprecated.
However, it’s not the cause of your problem.
You should upgrade your CakeDC/Users plugin to the newest version to be compatible with CakePHP 3.6.
Remember to change your configuration files of CakeDC/Users (permission and users) after upgrading. Use the sample files to make changes.
It took me a few days to fix all errors when migrating to CakePHP 3.6. The CSRF error is the most annoying thing to me. I had to search, try-and-fail a lot of times. Most of the time, it happens when calling AJAX.
If you have any trouble, I can help you.

1 Like

Thanks for your reply.
Yes. I removed Csrf component and upgraded Debug kit and Users plugin now it works good.
I am building rest API. I configured CORS on middleware and it work good.

Can you help me, ???
I didn’t know how to upgrade and remove the loadcomponent