First of all, this rarely happens. The form itself was submitted successfully 500+ times. And we received about 3 reports where users get a "An Error was encountered: The action you have requested is not allowed".
This specific error can be found in the Security Class php code, and is only shown when the csrf tokens do not mach, or if one or both (cookie/post) are missing.
Here are some relevant config values:
$config['cookie_prefix'] = 'prefix_';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf';
$config['csrf_cookie_name'] = 'csrf';
$config['csrf_expire'] = 86400;
$config['csrf_regenerate'] = FALSE;
As said, in almost all cases, users have no issue submitting the form. When a user does have an issue, I tried to replicate the error by submitting the form myself, using identical input values and identical browser/os (cookies and javascript enabled, without browser plugins). But I wasn't able to simulate the error.
What could be causing Codeigniter to sometimes throw an error?
Do You allow user to submit the form twice (You didn't add a form-blocker after the first submit, so while the first request processing, user can submit this form with same CSRF value again)? If so, when user submits the form twice, the first request calls CSRF to re-generate csrf-value and the second request Your user sends, sends old CSRF value and as a result You get this error.