I'm having a problem with CSRF component since I've updated to the last 3.0.4 CakePHP version yesterday. Looks like there is a security fix for previous versions so I decided to upgrade as soon as possibile, but since then I'm having this error when I try to login into my app:
Invalid CSRF token.
Strangely enough, I have seen a funny behavior while trying to figure out what is happening:
1) I went to my AppController.php, set the secure option to Csrf component to false, then I login -> it works
2) Set that option to true and login again -> it works
3) In (chrome) incognito mode, try to login from there -> it fails (invalid CSRF token)
4) After the incognito failure, try to login again from -not incognito mode- -> it works
Looking at the documentation I thought that enabling it and using the standard Form helper would be enough... do I need something else? Everything was working correctly with the 3.0.2 version I was using before.
The secure flag in t Csrf component means that the cookie will only be set if using a https (secure) connection. If the form is not generated and submitted over https, then it will block the attempt