We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

CSRF token, check failed - return only false


I have problem with csrf token.

In my form i have:

<input type='hidden' name='<?php echo $this->security->getTokenKey(); ?>' value='<?php echo $this->security->getToken(); ?>'/>

in controller, i check token with


and this return false only.

I have:

$di->setShared('session', function () { $session = new SessionAdapter(); $session->start();

return $session;


Edit: Hi, again. The problem exists when I'm redirected to the form page, and if I open it directly all work.

I open user/user, but i not logged and redirect me to login page->csrf no work; I open user/login direct and csrf is work.

Where is the problem?

i am not a bot, please


token checking is valid only once.

first time you execute checkToken() the token ( in the session ) will be removed. My guess is this is what is causing your problem


Hi @yanancom you must use getSessionToken() to get last token, or use checkToken( , ,false) use false at last param to not destroy if the token is valid

Good luck

Thanks for help, Emilio.

AJ, I get your comment about the hair - the thing is, would the person asking to touch it feel free to ask the same thing of an African American mom and her child, or did the person see the kid as available for curiosity-seekers simply because she obviously adopted? My List Theory Why You Can't Break Up With A Drunk Person