form is missing __token or __ts fields

Hi All,

I know this same issue has come up several times before, but I have tried all the suggestions on other threads with no success. I am running Elgg 1.8.1 on an Ubuntu server with mysql. On uploading certain file types I get this message - form is missing __token or __ts field

I have changed the upload size restrictions in php.ini and have also tried disabling all 3rd party plug ins with no success. I would really like to able to upload zip files to my site but cannot.

Could this have something to do with permitted file types?

Any help would be greatly appreciated.

  • You'll usually get this error on file upload when the upload fails due to some server side restrictions. Check the following PHP variables:

    • post_max_size
    • upload_max_filesize

    Both have to be bigger than your desired upload limit. Don't set it in php.ini, as those values can (and will) be overridden by Elgg's .htaccess file. So set the value like "php_value post_max_size 10M" in your installation's .htaccess file. Verify the values by dumping a php config via phpinfo().

    If you're still unable to upload files, your server might run suhosin or a similar product, imposing further restrictions (you can also verify this via phpinfo()). You'll have to consult the given php hardening tool's manual on what restrictions might be in effect. G'luck!

  • Thanks for the info Andras. Still having a problem - perhaps I changed the wrong values. I changed the php.ini values to 200M, the htaccess values on /elgg/htaccess to 200M but when I run phpinfo() it tells me that my local value for post_max_size is 8388608

    Am I in the wrong location?

    Thanks again

  • That should be the right location. Can you paste here the relevant part of your .htaccess file, where you set these variables? Another possibility is that your apache setup does not allow overriding values from an .htaccess file (see Your httpd.conf or virtual server config file should contain an "AllowOverride All" directive somewhere.

  • Thanks again - here is the code ffrom htaccess:

    <IfModule mod_php5.c>
        # limit the maximum memory consumed by the php script to 64 MB
        php_value memory_limit 64M
        # register_globals is deprecated as of PHP 5.3.0 - disable it for security reasons.
        php_value register_globals 0
        # post_max_size is the maximum size of ALL the data that is POST'ed to php at a time (8 MB)
        php_value post_max_size 250M
        # upload_max_filesize is the maximum size of a single uploaded file (5 MB)
        php_value upload_max_filesize 250M
        # on development servers, set to 1 to display errors. Set to 0 on production servers.
        php_value display_errors 0

    But my httpd.conf is blank.


  • Just tried to add AllowOverride All to httpd.conf and this is the error I got upon restarting apache:

    AllowOverride not allowed here

  • Your .htaccess looks fine, so it is probably the AllowOverride settings. You can place the AllowOverride directive only within a Directory section, as it is stated by the documentation I linked you to earlier. You may be running on virtual hosts configuration, so try to find the virtual host entry for your site (maybe in /etc/apache2/sites-available , but the location depends on your operating system and also on apache version), then add the above AllowOverride statement within the Directory section.

  • Thanks for your response. I changed my sites-availabe as shown below. Still no luck after I added <Directory /var/www/elgg>
            AllowOverride All



    <VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
            Options FollowSymLinks
            AllowOverride None
        <Directory /var/www>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
            Order deny,allow
            Deny from all
            Allow from ::1/128
    <Directory /var/www/elgg>
            AllowOverride All


  • Hi Again,

    Still no luck with my attempt to increase the file upload size. I have changed the php.ini and local elgg htaccess files to 120M, but when I run phpinfo() it tells me that the local post_max_size is 8388608. I have no idea where this value is coming from.

    Any ideas?

  • I guess you are changing the values in the wrong php.ini file. When executing phpinfo it should tell you the path of the where the php.ini file is found. In my case the master file is in /etc/php5/apache2/php.ini (opensuse), but this path should be standard.

    When calling phpinfo via a script in the elgg root directory you should also see both "local" and "master" php variable settings. The local settings are the values taken from Elgg's .htaccess file while the "master" values are taken from the main php.ini file.

    Local values should override the master values... in case you don't use for example suphp on your server. In this case all php settings in .htaccess files will get ignored.

  • Thanks for your reply,

    Yes - /etc/php5/apache2/php.ini is the file I have edited and those master values are correct when I run phpinfo(). I have also changed the local htaccess file in my Elgg directory to the same - 250M. But the local value still comes up as 8388608 run I run phpinfo() from the the Elgg directory. There is no other htaccess file on the server so I have no idea where the value is coming from. The master value of 250M is showing however which is being read from the php.ini value.

    Is there something I need to change in the "file" plug in perhaps?

    Thanks again to all who may have advice.