We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

v4 - Can't get session token


I'm currently trying to migrate one of my sites to v4.

Unfortunately my CSRF validations don't work anymore ; it seems like there's a configuration issue somewhere.

These are my current security + session providers :

    $di->set('security', function() use ($di) {
        $security = new \Phalcon\Security();


        // Set the password hashing factor to 12 rounds

        return $security;
    }, true);

    $di->set('session', function() {
        $session = new \Phalcon\Session\Manager();

        $files = new \Phalcon\Session\Adapter\Stream([
            'savePath' => '/tmp',


        return $session;

The session is created, but for some reason I can't get the security tokens to work :

    var_dump($this->session->exists()); // true
    var_dump($this->security->getToken()); // NULL

I'm not sure what I'm missing. It was working perfectly on v3, I only renamed the classes as per the upgrade guide : https://docs.phalcon.io/4.0/en/upgrade

Any advice ?

Thanks !

I got the same code as you and works fine on Php 7.4.1 nginx 1.16.1 Phalcon V4

$di->setShared('session', function () {

$session = new \Phalcon\Session\Manager();

$files = new SessionAdapter([
    'savePath' => sys_get_temp_dir()


return $session;


$di->setShared('security', function () {

$security = new \Phalcon\Security();


return $security;



Thank you very much for your reply.

I've got have PHP 7.2.14, Phalcon 4.0.0 and nginx 1.15.8.

I've now tried also with PHP 7.4.1, Phalcon 4.0.0 and nginx nginx 1.17.6 but sadly I've got the same results.

Any other ideas ?

Many thanks !

Stranger, Are you running on windows? vagrant? docker? .....

Can you use pastebin to paste your php.ini

Check if /tmp has permissions, and if the session is in there, or use system default sys_get_temp_dir() instead /tmp

And you can also try to change the Di session to setShared ( could be regenerating and losting the session ).

edited Jan '20

Thank you for your suggestions.

I'm running the app on Docker v19.03.5 with 2 containers :

  • nginx:latest
  • php:fpm

I've still got the default php.ini : https://paste.awesom.eu/Sq22&ln

I do find my session in /tmp : sess_eqkv927hvbr26rev9t4kpco71k It's the same id as if I print $this->session->getId().

I've tried with sys_get_temp_dir() and also with setShared() instead of set(), same results.

I'm really at a loss here !

First you should set those to on display_errors = On display_startup_errors = On

restart php-fpm

See if get any error, warning...

The session config's are good, it's really strange

Hello Renato,

For some strange reason it's working today, and $security->getToken() now returns a valid key.

There must have been some cache somewhere I'm not aware about.

Thank you so much for your help and sorry for the trouble.

I have the same problem!