Missing CSRF token body

I am using authentication, authorization plugins and also CSRF middle-ware.
and I am getting above error (Missing CSRF token body).

I tried to debug and i found something.
Middleware queue process one by one middlewares.
when it CSRF get processed then it get csrf token from parsebody method.
but after the process CSRF middleware unset the csrf data from the body.

and then in authentication middleware process again it calls CSRF validation and then it doesn’t find CSRF token in body(because it already unset in CSRF middleware) and it throws above error.

I fixed this by commenting unset line in CSRF.

`$body = $request->getParsedBody();

    if (is_array($body)) {

       // unset($body[$this->_config['field']]);

        $request = $request->withParsedBody($body);


please let me know is this valid behavior or am I doing something wrong.

I checked the Authentication plugin, and “CSRF” doesn’t appear anywhere in that code. Can you explain more about “in authentication middleware process again it calls CSRF validation”?

public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
    $authentication = new AuthenticationMiddleware($this);
        ->add(new ErrorHandlerMiddleware(Configure::read('Error')))
        ->add(new CsrfProtectionMiddleware())
        ->add(new AuthorizationMiddleware($this))
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime'),
        ->add(new RoutingMiddleware($this));

    return $middlewareQueue;

This is my code and i get error while login.

among any other problems, I think you will have to add your RoutingMiddleware earlier. Any other middleware that tries to use logic based on Cake Routing patterns and assumptions is going to fail

I tried adding CSRFMiddleware at the end but still same result.

My application has them in this order:

  • ErrorHandler (first so it handles all errors)
  • Asset (next so it minimizes processing for static files)
  • Routing (so that the route information is available for the rest)
  • Body Parser (which you aren’t using, that should be fine)
  • CSRF (make sure that the form contents are okay)
  • Authentication (uses form contents to log in)
  • Authorization (uses authentication results, so has to be after it)

I don’t expect that just changing it to this order will fix this issue, but it may help with other problems that you haven’t run into yet. But just randomly moving CSRF to the end is also not going to be useful, the main point here is that there’s a reason why things are in their particular order. Doing CSRF checks on form contents after you’ve used the form contents to log somebody in defeats the purpose! See the middleware chapter for more about this.

Assuming that this doesn’t solve the issue for you, what you’ll need to do is look at the call stack when the error is happening. There is no reason why anything should be checking the token again after the CSRF middleware has passed processing to the next level, so seeing the execution path that’s leading to that will be critical for understanding what’s going wrong; somewhere in there, something is calling something that it shouldn’t be.

Thanks for this, I have changed the order.

Looks like you have the CSRF Middleware installed twice. You can see that is called twice in the stack-trace on the left.

Thanks, I removed CSRF from Application.php and it worked.
but I checked but its not declared in bootstrap or app.

If you have an integrated debugger, but a breakpoint in the constructor for the CSRF middleware. If not, dump the stack trace in that function instead. Either way will point you to where it’s being added from. It should be happening twice, once where you expect and one other place.

1 Like

I am getting missing 'csrf token body ’ exception while doing form submission,

I added following in my application.php
->add(new CsrfProtectionMiddleware());
when the project is created through composer why there is this exception? I am new to php frameworks and I got stuck up here
how can I resolve this

Exactly like the previous poster, your stack trace shows that you have the middleware loaded twice, once before the BodyParser and once after.

Don’t add ->add(new CsrfProtectionMiddleware()); in application.php
its already added somewhere else.
remove or comment ->add(new CsrfProtectionMiddleware());
it will work perfectly.

after removing ‘->add(new CsrfProtectionMiddleware());’ It is working now thank you

1 Like