For the impatient, simply upgrade to at least WHMCS 5.2.2!
Per WHMCS support…
In the latest version of WHMCS we introduced a new session handling class which includes a random session name per install. We also updated the standard WHMCS verify image to use this new class and not call session start itself.
Full back-story and resolution for those not running version 5.2.2, are unable to do the upgrade, or perhaps experienced trouble with this fix.
For the impatient, simply add this line to the end of your
For those interested in the full story …
Since right around the time we installed WHMCS version 5.1.2 in July 2012, we had been receiving an “Invalid Token” error periodically, yet quite regularly, when submitting a form on WHMCS (support ticket reply, invoice, etc.).
We opened a ticket with WHMCS support in August explaining the issue, hoping for that a response that would quickly resolve the issue. Unfortunately, that didn’t happen 🙁 The support team kept saying the error was due to the PHP session expiring and that it was essentially an issue with the hosting provider. With session.gc_maxlifetime set to 24 minutes we were surprised to see the Session ID change after only a few minutes.
In March 2013, our team finally tracked down the cause of this issue …
WHMCS by default uses the PHPSESSID cookie to track its session. If there are any other PHP applications on the domain which use the same cookie, it can cause a conflict which in WHMCS results in an “Invalid Token” error. It took us a while to track this down as the other apps on the domain gracefully recovered from the shared cookie.
To resolve the issue, we added the line of code below to our
Now the session cookie is called WHMCS and does not conflict with the other PHP applications on the domain.
Did this help you? Show some love with a comment!