Support » Plugin: Cloudflare » Invalid CSRF Token on 3.0.1

  • Am running CF 3.0.1 on an http site and https (the latter with a CF certificate). DNSSEC is active.

    Both sites run fine, but I cannot change any setting on the 3.0.1 CF plug, and get the red crawl bar that says “CSRF Token is invalid”. I’ve re-logged in multiple times, with my authorized email and Global API key (not the CA key).

    Could this be a cache issue? Maybe because 2-factor is on?

Viewing 15 replies - 46 through 60 (of 64 total)
  • @edgemarketing,

    Its possible they haven’t released the update yet. They sent us a version for testing, we tested it internally and it worked. I’m not sure when they plan to release but we expect this issue to be fixed in the next release of their plugin!


    That is so exciting! Thanks so much!

    Sorry my fault. I thought it was updated. Just to clarify it does not work on Version To fix you need to change

    WP root folder / wp-content / plugins \ iwp-client \ init.php

    Line 97 which is

    $HTTP_RAW_POST_DATA_LOCAL = file_get_contents('php://input');


    $stream = fopen('php://temp', 'w+');
    stream_copy_to_stream(fopen('php://input', 'r'), $stream);
    $HTTP_RAW_POST_DATA_LOCAL = stream_get_contents($stream);

    If it still doesn’t work please submit a support ticket to InfiniteWP.


    Didn’t work for me. If that works for any of you other guys watching this thread would you post it?

    @edgemarketing could you clear your browser cache and purge cloudflare cache. If it still doesn’t work could you submit a support ticket to InfiniteWP.


    I may try it on a couple different domains with different plugins first. I did clear my cache in both places.

    This is still an issue on new installs – any update from IWP?

    Hi @razorfrog,

    There hasn’t been any further notices from IWP. I’d suggest you to submit a support ticket to IWP.

    I’m running the most recent updates of the Cloudflare plugin and the IWP plugin and I’m still getting this. What am I doing wrong?

    Isn’t is true that both you and infiniteWP should change their code? You said your plugin does this:

    For non GET requests we get the body of the request like this:
    ' $body = file_get_contents('php://input');

    Otherwise any other plugin that exists would not be able to use this method just because yours does?

    Hi @2020media,

    That’s a good question. That piece of code is only called when wp_ajax_cloudflare_proxy hook is triggered. This hook is reserved for Cloudflare WordPress Plugin.

    By the way, the support team at infiniteWP did say “We also have contacted the plugin developers to check if they can change their code slightly to get this issue fixed.”

    I am just a user of both services so I’d just like them both to work!

    The hook you mention, once it’s called (i.e. your plugin is enabled), is it going to prevent any other plugin that uses file_get_contents(‘php://input’); from working?

    > The hook you mention, once it’s called (i.e. your plugin is enabled), is it going to prevent any other plugin that uses file_get_contents(‘php://input’); from working?

    If the hook is called it’ll consume the data on that page. This hook should only be called in WP Admin > Settings > Cloudflare page. It shouldn’t be used anywhere else by design. Meaning it won’t have effect on anywhere else except Cloudflare Setting page. No other plugin should care about the value of file_get_contents(‘php://input’) function the Cloudflare Setting Page.

    I tested with IWP Admin Panel v2.11.1.1, Cloudflare WordPress Plugin worked. I’d recommend using the latest version of each plugin and try again.

    Hey @jwineman,

    The code that you guy sent us did not work! I am yet to hear from you about what happened to the test environment that you set up?
    We haven’t made any change to our code so I’m not sure how it is working with IWP Admin Panel v2.11.1.1 for @furkan811 🙁
    Can you please get to the bottom of this and help us out here cos there’s a lot of clients facing this issue on our side and we want to get this sorted at the earliest?


    Is this plugin even really necessary? I mean, I use a W3 Total Cache and it will clear cloudflare cache from the plugin dashboard. What’s the value of the Cloudflare plugin at that point?

Viewing 15 replies - 46 through 60 (of 64 total)
  • The topic ‘Invalid CSRF Token on 3.0.1’ is closed to new replies.