XF Error returned - CSRF

Vincent Gabriel

Active member
For some reason i get this error when i try to install a new addon through the ACP:

Security error occurred. Please press back, refresh the page, and try again.

it appears to be coming from the CSRF check in the Controller.php class. But the CSRF is valid, and even if i return true in that method it won't show the error above but will just refresh and do nothing. This happens to pretty much everything in the ACP. i tried 1.3 and 1.4 and same result.

The thing is, this happens on my laptop but on a desktop at work everything works just fine. i tried changing virtual host, re-installing/un-installing, deleting cookies yet i get the same result. I was wondering if anyone can shade some light on this as i am not sure if this is a XF software issue or a specific issue with my laptop. Both running MAC OS latest i am using Chrome but tried with other browsers.



XenForo developer
Staff member
If it's only happening on your laptop, that would seem to imply that the data isn't being sent to the server properly. You can probably verify this by dumping the request data on the server (and comparing it to the request shown in the browser dev tools).


Active member
Shooting in the dark here, but is it possible you have a low limit on request variables (querystring/form parameters)? I believe the default in php.ini is 128, which is usually sufficient for XenForo, but can sometimes be exceeded in the ACP. You may also have a limit in Apache; I don't use Apache these days, so I don't really know if that's possible/probable. The CSRF token is often one of the last parameters sent, so it's likely to be excluded if your limit is too low. Alternatively, do you have any limits on file uploads? Does it work if you specify a file path on the server instead of uploading the XML file?

Vincent Gabriel

Active member
@Zenexer That was actually a long shot, but it worked.

php.ini setting was incorrectly set:

post_max_size = 200MB

instead of being

post_max_size = 200M

causing the post max size to be 0.

This is now resolved.