Bug #71582

TYPO3 7.6 LTS returns security token validation error almost everytime

Added by Nico Wellner about 6 years ago. Updated almost 6 years ago.

Must have
Backend User Interface
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Hey there!

I'm not sure, but I think I found a bug in the latest 7.6 LTS with my server configuration, so my fresh installations (without any extensions) are unable to interact in the backend. Almost everytime I try to submit a backend form, I get an error because of security token. I tried to fix it with following methods but it takes no affect:
- Reinstall that instance
- (Re-)Login and out
Fix "max_input_vars" in php to "5000"
- Clear all caches

I will be able to give root access to that, so someone could get direct view if desired. See picture for details of that error.

Interesting notices: No PHP or access errors are logged - same in ../typo3temp/logs. Not any kind of feedback neither in the ui nor in the typo3 logs. No errors in the install tool.Is there anybody from CoreDev who can help me?

Server configurations:
Webserver Apache/2.4.10 (Debian)
PHP Version 5.6.14-0+deb8u1
Database 5.5.46-0+deb8u1
Application Context Production
Operating System Linux 3.16.0-4-amd64



error-validation.PNG (49 KB) error-validation.PNG Nico Wellner, 2015-11-15 17:01

Updated by Tom Warwick about 6 years ago

Getting exactly the same problem 7.5 > 7.6

No third party extensions installed.

Server configurations:
Webserver Apache/2.4.16 (FreeBSD)
PHP Version 5.6.14
Database 5.5.26
Application Context Production
Operating System FreeBSD 10.2-RELEASE


Updated by Nico Wellner about 6 years ago

We found out, that we are also having problems with File-Uploads.
Again, after hours of checking Apache2, PHP, etc., we decided to delete Apache2 and work with nginx.

Now, this error doesn't appear anymore - also File-Uploads are working!
We don't know why, but our apache2 have had malfunction.

BUT - Besides the fact that it finally works with nginx, I maintain that it couldn't be the solution NOT to use Apache2.
What do you all mean?

Kind regards,


Updated by Helmut Hummel about 6 years ago

  • Status changed from New to Needs Feedback

You're saying that you have no issues with TYPO3 7.5 on the same server ?

I investigated a server recently and on that box $_POST requests were randomly discarded (plain PHP script without any TYPO3 involved). In such an environment TYPO3 of course cannot function properly.

Question is, if you face similar issues here or not.


Updated by Helmut Hummel about 6 years ago

Here is an example curl request you can test:

curl 'http://your-server.tld/test.php?M=user_setup&moduleToken=1b9047ae59a852bd3158019ed38d612c342bda67' -H 'Cookie: be_lastLoginProvider=1433416747; PHPSESSID=pamp04afm2d46m6k57agm309k1; be_typo_user=559ddca68304a1a26ee948870461bf19; Typo3InstallTool=ni98ca552e62ajkeergvo11q16' -H 'Origin: http://t6-001.ternum-dev.de' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36' -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OOg3F3POrOky32q' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://t6-001.ternum-dev.de/typo3/index.php?M=user_setup&moduleToken=1b9047ae59a852bd3158019ed38d612c342bda67' -H 'Connection: keep-alive' --data-binary $'------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[save]"\r\n\r\n1\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][realName]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][email]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][avatar]"\r\n\r\n0\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[lang]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][passwordCurrent]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][password]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[be_users][password2]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[startModule]"\r\n\r\nhelp_AboutmodulesAboutmodules\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[thumbnailsByDefault]"\r\n\r\non\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[titleLen]"\r\n\r\n50\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[edit_RTE]"\r\n\r\non\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[edit_docModuleUpload]"\r\n\r\non\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[resizeTextareas_MaxHeight]"\r\n\r\n500\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[copyLevels]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[rteWidth]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[rteHeight]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[rteMaxHeight]"\r\n\r\n\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[rteCleanPasteBehaviour]"\r\n\r\nplainText\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="simUser"\r\n\r\n0\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="formToken"\r\n\r\n1adcee0bc7fcb29b291a9037887c6fb16e027174\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[save]"\r\n\r\n1\r\n------WebKitFormBoundary6OOg3F3POrOky32q\r\nContent-Disposition: form-data; name="data[setValuesToDefault]"\r\n\r\n0\r\n------WebKitFormBoundary6OOg3F3POrOky32q--\r\n' --compressed

Please note to adapt the path to


The contents of this file just is:



The server I tested for Nico, discarded parts of the $_POST vars, which is the severe error condition I mentioned above.
I have no idea what can cause such errors, maybe a devops or ops person can help out here, but in this case we cannot do anything in TYPO3 to fix such broken setup.


Updated by Riccardo De Contardi almost 6 years ago

  • Status changed from Needs Feedback to Closed

No feedback within the last 90 days => closing this issue.

If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.
You could also join the #typo3-cms channel in Slack if you still need support.
Thank you


Updated by Alexander Opitz almost 6 years ago

  • Target version deleted (7 LTS)

Updated by Tom Warwick almost 6 years ago

I eventually found a fix for this.

In my case, I completely emptied /typo3temp and the problem was resolved straight away.

Hope this is of use.

Also available in: Atom PDF