I am having this strange issue with a fresh Symfony 3.0.1 installation. I generated a new CRUD Controller with a Form PostType which contains an url and a title. Nothing fancy.

The form is rendered as expected. It contains both my url field and title field. Inside the form the hidden input field _token is also rendered.

When submitting this form, i am getting all the time the following error:

The CSRF token is invalid. Please try to resubmit the form.

So the token is added to the form, it contains a value, i have a constant PHP session cookie value, it is just that this token invalid.

I have searched for other answers but the similar questions are all caused by the absence of a _token input.

This problem also occurs in Symfony 3.0.2/3.0.3.

In my case it was that the var/sessions/ folder wasn't writable. The default is var/sessions which is set at config.yml.

session:
    # http://symfony.com/doc/current/reference/configuration/framework.html#handler-id
    handler_id:  session.handler.native_file
    save_path:   "%kernel.root_dir%/../var/sessions/%kernel.environment%"

Make sure you have var/ folders writable.

chmod 775 -R var/sessions/
chmod 775 -R var/log/
chmod 775 -R var/cache/

I just had a similar issue with Symfony 3.2

The CSRF token is invalid. Please try to resubmit the form.

After hours, we finally found the issue was related to session.cookie_secure (https):

Our production environment uses https, thus forces cookies to be secured over https. The dev environment used http. After moving the dev from HTTP to HTTPS, problem was fixed.

I'm using Symfony 3.2.1 and it's working on one machine but not the other. No idea why.

@Shrihari his answer led me to the following solution.

My project also has cookie_secure: true. I updated config_dev.yml and added cookie_secure: false to the file.

framework:
    session:
        cookie_secure: false

This worked for me.

It seems to be a bug in symfony version >3.0, <3.0.3.

As @yellowmen pointed out, changing the framework.session.save_path in the config.yml fixes the problem.

The bug is also present in 3.0.4. save_path: ~ worked for me.

I experienced a similar problem with Symfony 4.2 when switching from dev to test environment.

I had the following setting in my framework.yaml file:

framework:
    session:
        storage_id: session.storage.mock_file

Solution:

Removing the storage_id: session.storage.mock_file-setting solved the problem.

Important: You probably have to clear the cache for this to take effect.

For more information about the storage_id-configuration option also see here.

I had the same on env=dev but not on preprod (symfony 4.4)

--Solution--

There was missing sessions dir in the root I have created one then the problem solved.

cheers