Invalid Token Errors in Joomla 1.5.X & 1.6.X

Invalid Tokens- I had been seeing this error on & off on some of the sites we were building both in Joomla 1.5 & 1.6. This error has caused a silent but significant furor on the Forums. Not just at Joomla.org but on the sites of quite a few Template & extension Developers as well. In this Blog, I hope to finally lay the question of why this error occurs to rest.

What are Tokens anyway?

Tokens first made their way into Joomla with Joomla 1.5.3. They were introduced as a security feature for forms. For any form submitted on a Joomla website, a token was expected to be passed. If this was incorrect or missing, you'd get an Invalid Token error. This is really good as it thwarts Spam & hack attempts.

What's affected?

All forms in Joomla are affected by this. This error was more noticeable in the Login & Registration forms as these are the most used. I am going to be addressing mainly the Login form related token errors in this post. But the solutions will typically apply to any kind of form.

Why are we getting Invalid Token Errors?

A. Missing Tokens

The Missing Token error can be fixed by upgrading to the latest Joomla version. But in case you have a template that's overridden Joomla forms. The Login form is almost always overridden. Then you need to edit the override to add a Small line in the form so that the Token is included.

 echo JHTML::_( 'form.token' );

* Note  for Joomla 1.6.X

The Token check was added to the Logout form as well for Joomla 1.6.1 so if you upgraded from Joomla 1.6.0 to 1.6.1, you might face this issue when you log out from the site. In this case, you need to add the above line to the Logout form in your login module override.

Adding the Token to the logout form, in my opinion, has caused a small pain. Since the Token is associated with the logout form, if you have a simply created a Logout Menu or link to log the user out, this won't work unless you have the Login module published on all pages in your site since the token will be missing in that case. So the Login Module has to be published on all the pages to avoid this.

B. Invalid Tokens

In case you are using any kind of Cache, then you might face this issue. One Solution is to make sure your Login module is set to "No Cache". Another thing you might want to check is if your System Page Cache plugin is switched off. The Joomla Global Config Cache setting only caches portions of your site & it adheres to the No Cache setting on module level. But the System Cache plugin will cache entire pages & ignore the module level settings. So this must be off. This is really bad as enabling page cache can give you great performance benefits. But you will have to do this till this issue is resolved.

One more thing you need to make sure is if you are loading the Login module inside a Joomla page using something like: loadposition user1} & Joomla Cache is turned on, then even if you set the module to no cache, it will be Cached & you might get this error.

Hope this post will be useful for anyone facing these issues!