For the impatient, simply upgrade to at least WHMCS 5.2.2!
Per WHMCS support…
In the latest version of WHMCS we introduced a new session handling class which includes a random session name per install. We also updated the standard WHMCS verify image to use this new class and not call session start itself.
Full back-story and resolution for those not running version 5.2.2, are unable to do the upgrade, or perhaps experienced trouble with this fix.
For the impatient, simply add this line to the end of your
For those interested in the full story …
Since right around the time we installed WHMCS version 5.1.2 in July 2012, we had been receiving an “Invalid Token” error periodically, yet quite regularly, when submitting a form on WHMCS (support ticket reply, invoice, etc.).
We opened a ticket with WHMCS support in August explaining the issue, hoping for that a response that would quickly resolve the issue. Unfortunately, that didn’t happen 🙁 The support team kept saying the error was due to the PHP session expiring and that it was essentially an issue with the hosting provider. With session.gc_maxlifetime set to 24 minutes we were surprised to see the Session ID change after only a few minutes.
In March 2013, our team finally tracked down the cause of this issue …
WHMCS by default uses the PHPSESSID cookie to track its session. If there are any other PHP applications on the domain which use the same cookie, it can cause a conflict which in WHMCS results in an “Invalid Token” error. It took us a while to track this down as the other apps on the domain gracefully recovered from the shared cookie.
To resolve the issue, we added the line of code below to our
Now the session cookie is called WHMCS and does not conflict with the other PHP applications on the domain.
Did this help you? Show some love with a comment!
Just so you know, this fix does not fully work. If you add this to your configuration.php, the captcha entries no longer work.
I’m having the same problem whilst I’m in the admin section of WHMCS. I can access every feature of WHMCS but when I try to save any changes I’m getting the error.
Si normal session.gc_maxlifetime la cate minute trebuie setat?
Am pus “session_name(“WHMCS”);” si tot invalid token primesc.
No dice 🙁 I can’t even log into the admin panel unless “remember me” is checked on. I get the same attitude from WHMCS though “It’s a php session problem which is the responsibility of your server admin”.
I pasted your line of code within the php island… any other suggestions?
Thanks for taking the time to document your solution. It didn’t make a difference for me (WHMCS 5.1.3), though.
Thank you! This was driving me crazy. And as you say, it would happen after only a few minutes of being logged in. Everything *else* in WHMCS would work, except for replying to support tickets.
The same issue came up on my WHMCS 5.2.5 install a couple of hours ago. In my case, unfortunately, the fix you’re suggesting didn’t work.
However, I was able to solve it simply by deleting all PHP sessions on my server AND the cookies on my browser (just deleting the session files didn’t work).
Of course, I’m not implying that your suggestion is worthless :-), just adding a note here in the hope that it can be of help to someone.
and set the permissions of /var/lib/php/session to 777
LOGOUT and then LOGIN , that resolved same problem for me…
Thank you for your help.
This didn’t work for me on the day I made the change, but the following morning it was fixed. I guess it was the session timing out. Thanks for taking the time to share the solution!
This should hopefully fix the issue, keeping the sessions managed only by WHMCS.
1. Create a new directory called ‘session’ and make owner/group writable.
2. open configuration.php and add the following:
session_save_path(__DIR__ . “/session”);
3. Open /.htaccess and add the below for security:
RewriteRule ^session/(.*)$ /index.php
It worked for me, nice job!
u awesome it worked
I’ve got this problem after i’ve updated the PHP on my server. The postinstall script resets the permissions of /var/lib/php/session folder. Correcting this has made WHMCS work again as it should. Setting another (not shared) writeable, individual session save path for the user that WHMCS runs under, will work too (and it’s the recommended way to go).
Of course, this will be the case of most PHP scripts that use sessions, not only WHMCS.
This worked for me 🙂
Thank you very much
It is a pretty good solution. Thanks
This problem cam be caused by nginx also wich can use all inodes .
In our case all available inodes in /tmp are being used up .
After clearing the /tmp/nginx_client folder all goes back to normal.
Reset your PHP connections either by rebooting server or kill all existing php connection on server or by using below command if it works for you-
Thank you for the article.