Invalid CSRF token


My SuiteCRM stack is:

  • Operating System: Windows Server 2019 Std 1809 (latest updates)
  • Web Server: Apache 2.4.54 (Win64)
  • PHP: 8.0.23
  • Database: MariaDB 10.4.25
  • HTTPS (self-signed)
  • SuiteCRM: 8.2.0

While working with SuiteCRM, I get errors of type: Invalid CSRF token. It is a POST 403 graphql problem according to the browser’s tools. Network scanning reveals that Requested Cookie is NOT the one that Response sends back! Log file more or less say the same:
request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: “Invalid CSRF token” at C:\xampp\htdocs

Upon browser refreshing a couple of times, everything is ok until next time.


Any ideas?

Thank you in advance,


I also get this error with SuiteCRM 8.2.0. SuiteCRM have to be reloaded to work again. I can find the following error message in logs/prod/prod.log:

[2022-11-02 10:35:36] request.INFO: Matched route "api_graphql_entrypoint". {"route":"api_graphql_entrypoint","route_parameters":{"_route":"api_graphql_entrypoint","_controller":"api_platform.graphql.action.entrypoint","_graphql":true},"request_uri":"","method":"POST"} []
[2022-11-02 10:35:36] request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "Invalid CSRF token" at /usr/www/users/xxxxxxxx/ line 96 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException(code: 0): Invalid CSRF token at /usr/www/users/xxxxxxxx/"} []

We have the same behaviour. Did you solve it in the meantime?
Bitnami Docker:

  • PHP 8.0.25
  • Apache/2.4.54 (Unix)
  • SuiteCRM 8.2


For the moment, I did what is wrong and NOT suggested for production environments.

I edited file \core\backend\Security\CSRFValidationListener.php and abandoned line 96 that throws the error:

$value = $event->getRequest()->headers->get($this->headerName);
if (!$value || !$this->csrfTokenManager->isTokenValid($value)) {

But, I still consider the ticket open and I am investigating for a solution.



1 Like

Update to 8.2.1 did nit resolve the issue… :smiling_face_with_tear:

I feel irritated that there are not more admins facing this issue, which is massive from my perspective. Core hack should be not a solution…

Hello! did you open an issue at github? If not, I suggest to open a ticket to the issue tracker of the repository.

I just created one: Invalid CSRF token · Issue #180 · salesagility/SuiteCRM-Core · GitHub

Hello. After migrating from 7.12.8 to 8. I’m in the same behavior. Modifying onKernelRequest allows access but no menus. In short, it is not usable from the app. Any suggestions?

Core hack above works for us. We created a patch for that.

We were facing similar issue, in our case issue was cached files.
After clearing cache files as shown below

rm -rf cache
rm -rf public/legacy/cache

It started working :slight_smile:

Hi all!

Invalid CSRF token · Issue #180 · salesagility/SuiteCRM-Core · GitHub was closed recently with the launch of 8.2.3 version. So everyone is welcome to test it.



thanks for commenting

This is still an issue when Application is configured to use SAML, using native authentication https://<your suitecrm url>/auth will fail. Added a new issue Invalid CSRF Token when running native authentication with SAML configured · Issue #230 · salesagility/SuiteCRM-Core · GitHub

It’s still an issue with 8.3.1, fresh install, too.

Well, I finally got this working with both 8.3.1 and 8.4.0 … it turns out “” (PHP setting) needs to be left at the default setting :roll_eyes:

I don’t know if it will solve the issues mentioned in the thread above, but it might be worth a shot.

Tried installing a fresh copy of 8.5.0 and get the same issue (403 forbidden for /api/graphql). Unable to proceed with installation. Using Apache 2.4.43 and PHP 8.1.26.

This issue seems to be going on for a long time. Why do they keep releasing new versions when something as basic as installation doesn’t work?

It’s not necessarily a bug, sometimes (often) it is a problem with sysadmin tasks. If you don’t set up your server correctly, SuiteCRM can’t install.

Sometimes it’s a complex issue involving both sides of that equation - SuiteCRM has something not quite right for some scenarios, but not for all. So it passes tests, many people use it successfully, but some people run into problems.

It is more like some people use is successfully, most people run into problems and of those only a few bother to report and the rest move on to something else.

You know what they say: if it walks like a duck, talks like a duck. So many have reported this issue, so how can this not be a bug? I have a fresh install of apache, mysql & php based on the compatibility matrix. I followed the instructions that are provided and yet the installation failed.

I see so many enhancements and changes since 8.0, but what’s the point when this thing cannot even be installed. Perhaps more attention and time should be spent on making it reliable and robust.

And, I don’t even want to mention the complete failure of 7.x with PHP 8. Yet, the site claims it works with PHP 8. It does not, and that claim should be removed.

IMHO version 8.0 and PHP 8 support is 100% beta and should be marked as such. People should not be using those two in production. The only stable and usable version with predictability is 7.13 with PHP 7.

Bug reports very much welcome!