[FIXED] _Token was not found in request data in CakePHP 4

Issue

I have some issue with a simple signup function in cakephp 4, I enabled the FormProtection component and it return " _Token was not found in request data."

The token is already generated but I don't know why the controller cannot detect it

<?= $this->Form->create($user,['class' => '']) ?>
<?= $this->Flash->render('signup') ?>
<div class="inp-row">
<label for="">Full Name</label>
<?= $this->Form->input('name',["placeholder"=>"Your full name",'label'=>false,'required'=>true,'class' => '']) ?>
</div>
<div class="inp-row">
<label for="">Email Address</label>
<?= $this->Form->input('username',["placeholder"=>"Your email address",'label'=>false,'required'=>true,'type'=>'email','class' => '']) ?>
</div>
<div class="inp-row">
<label for="">Password</label>
<?= $this->Form->input('password',["placeholder"=>"Type your password",'label'=>false,'id'=>"pass_change" ,'required'=>true,'type'=>'password','class' => '']) ?>
</div>
<?= $this->Form->button(__('Sign up'));?>
<?= $this->Form->end() ?>

Function signup

$user = $this->Users->newEmptyEntity();
if ($this->request->is('post')) {

$user = $this->Users->patchEntity($user, $this->request->getData());
 if ($this->Users->save($user)) {
 $this->Flash->success(__("Your account has been created successfully."), [ 'key' => 'signup']);
        }

    }
$this->set('user', $user);


2020-05-05 23:48:32 Error: [Cake\Http\Exception\BadRequestException] `_Token` was not found in request data. in xxxxxx/vendor/cakephp/cakephp/src/Controller/Component/FormProtectionComponent.php on line 141
Stack Trace:
- xxxxxx/vendor/cakephp/cakephp/src/Controller/Component/FormProtectionComponent.php:95
- xxxxxx/vendor/cakephp/cakephp/src/Event/EventManager.php:309
- xxxxxx/vendor/cakephp/cakephp/src/Event/EventManager.php:286
- xxxxxx/vendor/cakephp/cakephp/src/Event/EventDispatcherTrait.php:92
- xxxxxx/vendor/cakephp/cakephp/src/Controller/Controller.php:569
- xxxxxx/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php:72
- xxxxxx/vendor/cakephp/cakephp/src/Http/BaseApplication.php:229
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:77
- xxxxxx/vendor/cakephp/cakephp/src/Http/Middleware/BodyParserMiddleware.php:164
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:73
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:77
- xxxxxx/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:137
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:73
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:58
- xxxxxx/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:162
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:73
- xxxxxx/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:68
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:73
- xxxxxx/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:119
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:73
- xxxxxx/vendor/cakephp/cakephp/src/Http/Runner.php:58
- xxxxxx/vendor/cakephp/cakephp/src/Http/Server.php:90
- xxxxxx/webroot/index.php:40

Solution

The security component is deprecated, its features have been extracted into the form protection component, and the HTTPS enforcer middleware. The fact that it's deprecated should probably be presented more prominently in the Cookbook.

Using both, the form protection component and the security component will lead to the error that you're encountering, as both, the security component as well as the form protection component, will remove the _Token from the request data once it has been validated, hence one of them will complain about the token not being present.

Long story short, don't use the security component, use only the form protection component. If you were using the security component's require SSL feature, then use the initially mentioned HTTPS enforcer middleware instead.

See also

• Cookbook > 4.0 Migration Guide > Deprecations > Component
• Cookbook > Middleware > HTTPS Enforcer Middleware

Answered By - ndm