Token Mismatch Error

everytime one of my users try to login on the first try they get the below error

We encountered an error (token mismatch). This probably means that the page you were using expired. Please try again

but when they try logging in a second time theres no issue. I have also experienced the issue.

please help !!

  • yeah get those a lot of times, dont understand why the connection to elgg isnt permanent, i dont have to login every single time i connect to facebook... its a pain, and if you open the site and login a bit later you get the token mismatch error...

  • This was brought up in another forum. What I can say I have experienced is that our site is configured to use no subdomain ( instead of however, if you attempt to access the site via "" and log in, this is where the token errors come up. I have been meaning to start researching a solution for this.

  • the elgg support is horrible at the moment ive tried everywhere to get an answer for this but no go ... onle pete seems to be up to date with his support for themes...sigh ..

  • p.s i have a feeling it might be something to do with cookie settings from what Phillip said.

  • I ran into this problem recently as well.  I realized that elgg is sensitve to the url link.  If you configured the site url to be and you leave off the www when you type it in the browser, you get the token mismatch 100% of the time.  If you look at your url, Elgg then moves you to the proper site, and then you can login without error.  Elgg is a part of the site I created so I had to go to an absolute link vs a relative link in the pages that link to the elgg portion of the site.

    It was a pain in the butt.

  • Easy solution: redirect h t t p://www  to h t t p:// or vice versa using .htaccess with a RewriteRule

  • The problem is connected to action_gatekeeper() from /engine/lib/actions.php.

    This function uses another security function called generate_action_token() from the same php file.

    generate_action_token() generates a md5 encrypted string from the following parameters:






    It's triggered when you enter the elgg site so the get_input('__elgg_token') holds the return md5 of this function. The actual error that I encountered happens inside action_gatekeeper() at the line containing the following code: if (strcmp($token, $generated_token)==0)

    It means that the generated result from the hidden field in the form does not coincide with just generated one a few lines above. The reason being the $_SESSION['__elgg_session'] variable. By commenting it out I solved my problem but that didn't satisfy me. I investigated farther and figured out that the actual value of this variable comes from engine/lib/sessions.php from the line containing

    if (!isset($_SESSION['__elgg_session'])) $_SESSION['__elgg_session'] = md5(microtime().rand());

    So I came up with the idea of deleting all records from table $prefix_users_sessions. And that was finnally it. It works now but it is a troublesome bug which will no doubt happen again unless I comment out $_SESSION['__elgg_session'] from my code. And that's a nasty approach. I would like to have this bug fixed instead.

  • @Boris, most likely what is happening is that you have set your canonical url to include www and are hitting the site without the www (or vice-versa). This results in different php sessions being created and Elgg throws the token error message. As I mentioned above, the best way to deal with this is to create a rewrite rule so that everyone uses only one form of your url.

  • @Cash, my url has no www prefix. I've tried what you've advised with the .htaccess. I'm not goot at regexps used in it so just to be sure it has nothing to do with it could you please post the two of your RewriteRules for me. Thank you in advance.

    By the way referring to a canonical name. Where should I look it up? In httpd.conf? And it must bear the www prefix?

  • Check your sites entity table in your database. That table has your site url.

    For mod_rewrite rules you could try variations on these (first one redirects to www):

    RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
    RewriteRule ^(.*)$$1 [L,R=301]


    RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
    RewriteRule ^(.*)$$1 [L,R=301]