[yii\web\HttpException:400] yii\web\BadRequestHttpException: Unable to verify your data submission. in /var/www/vendor/yiisoft/yii2/web/Controller.php:225

[krysimplas]

What steps will reproduce the problem?

Submitting any form, in this instance we are at the main login controller and submitting a username/password combination. The user registration form is also exhibiting the identical problem.

What is the expected result?

The user would be logged in successfully and see the next portion of the application when authentication is complete.

What do you get instead?

Bad Request (#400)
Unable to verify your data submission.

Additional info

We've tried in multiple browsers, Chrome, Firefox, and also cleared full cache, cookies, etc.

Q	A
Yii version	2.0.10
PHP version	7.4.18
Operating system	Ubuntu 18.04.5 LTS

We've read through other Issues with the same errors but have not had success implementing anything from those. This is a full dump from the Yii2 app.log with additional information on the CSRF tokens that are set when posting the form.

2022-01-13 10:38:53 [192.168.33.1][-][-][error][yii\web\HttpException:400] yii\web\BadRequestHttpException: Unable to verify your data submission. in /var/www/vendor/yiisoft/yii2/web/Controller.php:225
Stack trace:
#0 /var/www/vendor/yiisoft/yii2/base/Controller.php(179): yii\web\Controller->beforeAction()
#1 /var/www/vendor/yiisoft/yii2/base/Module.php(534): yii\base\Controller->runAction()
#2 /var/www/vendor/yiisoft/yii2/web/Application.php(104): yii\base\Module->runAction()
#3 /var/www/vendor/yiisoft/yii2/base/Application.php(392): yii\web\Application->handleRequest()
#4 /var/www/web/index.php(14): yii\base\Application->run()
#5 {main}
2022-01-13 10:38:53 [192.168.33.1][-][-][info][application] $_GET = []

$_POST = [
    '_csrf' => 'qFYVFD_Z48HY3AniC_YgzCWEnD_NNoqL9AQyak8qjlKeJHpOCKGCk72VeKcyuUinQ6nMDYZf_cK2YFBHPRvtGg=='
    'Users' => [
        'username' => 'user'
        'password' => '***'
        'rememberMe' => '1'
    ]
    'login-button' => ''
]

$_FILES = []

$_COOKIE = []

$_SERVER = [
    'REDIRECT_STATUS' => '200'
    'HTTP_HOST' => 'intra'
    'HTTP_CONNECTION' => 'keep-alive'
    'CONTENT_LENGTH' => '214'
    'HTTP_CACHE_CONTROL' => 'max-age=0'
    'HTTP_UPGRADE_INSECURE_REQUESTS' => '1'
    'HTTP_ORIGIN' => 'http://intra'
    'CONTENT_TYPE' => 'application/x-www-form-urlencoded'
    'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36'
    'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
    'HTTP_REFERER' => 'http://intra/site/login'
    'HTTP_ACCEPT_ENCODING' => 'gzip, deflate'
    'HTTP_ACCEPT_LANGUAGE' => 'en-US,en;q=0.9'
    'PATH' => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin'
    'SERVER_SIGNATURE' => '<address>Apache/2.4.29 (Ubuntu) Server at intra Port 80</address>
'
    'SERVER_SOFTWARE' => 'Apache/2.4.29 (Ubuntu)'
    'SERVER_NAME' => 'intra'
    'SERVER_ADDR' => '192.168.33.10'
    'SERVER_PORT' => '80'
    'REMOTE_ADDR' => '192.168.33.1'
    'DOCUMENT_ROOT' => '/var/www/web/'
    'REQUEST_SCHEME' => 'http'
    'CONTEXT_PREFIX' => ''
    'CONTEXT_DOCUMENT_ROOT' => '/var/www/web/'
    'SERVER_ADMIN' => 'webmaster@localhost'
    'SCRIPT_FILENAME' => '/var/www/web/index.php'
    'REMOTE_PORT' => '61343'
    'REDIRECT_URL' => '/site/login'
    'GATEWAY_INTERFACE' => 'CGI/1.1'
    'SERVER_PROTOCOL' => 'HTTP/1.1'
    'REQUEST_METHOD' => 'POST'
    'QUERY_STRING' => ''
    'REQUEST_URI' => '/site/login'
    'SCRIPT_NAME' => '/index.php'
    'PHP_SELF' => '/index.php'
    'REQUEST_TIME_FLOAT' => 1642091933.2636
    'REQUEST_TIME' => 1642091933
]

[bizley]

Please try newest Yii version and let us know if problem persist.

[developedsoftware]

I have this issue also with version 2.0.45 and PHP 7.4.19

[virtual-designer]

@krysimplas abc::className() is deprecated in newer versions of PHP, use abc::class instead.

[bizley]

@virtual-designer it should not be a problem to still use that.

@krysimplas @developedsoftware could you prepare a minimal version of the app that will allow us to reproduce the problem?

[yii-bot]

It has been 2 or more weeks with no response on our request for more information.
In order for our issue tracker to be effective, we are closing this issue.

If you want it to be reopened again, feel free to supply us with the requested information.

Thanks!

This is an automated comment, triggered by adding the label expired.

[dragan1700]

I am having the exact same issue, but with the following setup:

PHP 8.1.7
Craft 3.7.43
OS Linux 4.15.0-169-generic

Can you please re-open this issue?

---

So, it turned out the culprit was Varnish; or more precisely - because this particular page was not in the Varnish policy. We've added it, and now it all works as expected. Sorry for the noise.

[developedsoftware]

Do you have a favicon? Are you using Firefox?

[dragan1700]

@developedsoftware I was using Chrome... I don't think a favicon is the real issue here.

[developedsoftware]

I thought that and wasted hours debugging.

I hadn’t supplied a favico at the public root - which meant index.php was processing the request for a favico (as the file couldn’t not be found using try_files in nginx).

Which would then change the csrf token on the server after the token had been inserted into my form doing a post request.

And then on submission the above error occurred.

I laughed and cried when I eventually figured it out.

I would check you aren’t doing any Ajax requests after your form is loaded or any other request that yii would process. Whenever it does the csrf token changes and your form then has a invalid csrf token