Invalid Token on Joomla Login

If you have been using Joomla for a long time, then it might be that you have faced the dreaded “Invalid Token” when you try to login to the Joomla (on the real website, not the control panel), or when you try to perform other activities, such as voting, submitting forms, etc…

In this post we will explain why invalid tokens exist, what might have caused your invalid token problem, and how to fix it.

What are invalid tokens and why do they exist?

Joomla is a CMS that is targeted by spammers. Many spammers try to automatically create an account on a Joomla website, and then they try to automatically login and post some obscenities and/or spam on your website.

The Joomla developers figured out a way that will block spammers from doing this, and this way is to assign a cookie to the PC trying to login.

If the cookie is not there, then the system will return an “Invalid Token” error. So, in short, tokens (and the “invalid token” error) were created as a first line defense mechanism against spammers. But, as you might have probably guessed, it has side effects…

Why are you getting this invalid token error?

Now since it’s your website and you (or your legitimate users) are trying to login (or vote, or submit a form, etc..) to it normally, then theoretically, you shouldn’t see the “Invalid Token” message.

However, since you are reading this post, then you have obviously experienced it! But why? Well, there are many reasons for you to get this error, and here’s a list of the most common ones:

• Expired cookie: The cookie that Joomla expects you to have has expired. Deleting your cookies and trying to login again will fix the problem.
• Caching: Caching often creates problems on a Joomla website. It’s amazing how many conflicts this very useful feature creates in Joomla (maybe the future of Joomla will feature a better caching system?). There are two ways to address the caching problem:
  • Disable caching entirely. This is a two step process:
    • Login to your Joomla control panel, go to Site, Global Configuration, System, and click on “No” next to Cache under Cache Settings and
    • Disable the System cache plugin, by going to Extensions, Plugins, and then search for the System – Cache and click the checkbox next to it, and finally click on Disable on the top right.
  • Fix the code for the login (or the other feature you’re having problem with) yourself, by commenting out the check for the token. (You may need Joomla Experts to do that for you!)
• JomSocial: JomSocial is known to conflict with the user login on a Joomla website. There are several ways to solve this problem:
  • Uninstall JomSocial: Just uninstall JomSocial by going to Extensions and then the Install/Uninstall page in your Joomla Control Panel and then uninstall JomSocial.
  • Disable JomSocial plugins: Disable all JomSocial plugins. This will also solve the problem, but will definitely cause problems with JomSocial.
  • Fix the JomSocial code: Again, you may need Joomla Experts to do that for you.
• Using legacy mode (Joomla 1.0 mode): Using Joomla in Legacy mode is known to cause this problem. Just disable the legacy mode plugin. Warning: This measure may break many other features.
• Using legacy code for checking for tokens: Some versions of Joomla/Joomla templates feature some legacy code to check for tokens. This code needs to be changed. Here’s how to fix this problem:
  • Just open up the file /modules/mod_login/tmpl/default.php and change the line <?php JUtility::getToken(); ?> to <?php echo JHTML::_( 'form.token' ); ?>
  • In many cases, the login module is overridden by the template, so you need to check the code in your template there to see if it’s using the JUtility::getToken(); and change it to the JHTML::_( 'form.token' );
• Disabled cookies on browser: If cookies are disabled on your browser then you will definitely see this problem. Enabling cookies will fix it.