Forums Bug Reports Thread

Learn: creating a course fails with "Invalid or missing security token"

Patrick Bass · Jun 6 · 19 · 1 Locked
[Major] [High Priority] [Bug Fixed] [Always Reproduces]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 4:38pm

Where. /admin/learn/courses/new

What happens. Creating a course fails with:

Invalid or missing security token. Please refresh and try again.

Likely cause. The CSRF token is missing from the course-create form or is not validated correctly on submit.

Related. The same error appears on other Learn admin forms (role edit, SCORM upload); these likely share one root cause in the Learn admin CSRF handling.

Status: verified, reproducible (always). Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 10:01am

Resolved and deployed to production. Commit 0753b320f6.

All 48 Learn admin templates (including courses/new, scorm/new, cohorts/form) were using $_SESSION['csrf'] and name='_csrf' instead of the canonical $csrfToken / name='_csrf_token'. Mass-replaced across the entire Learn template tree. Course creation now works.

Status: fixed. Thread closed.

Patrick Bass
@mobieus

Related Discussions

Learn: SCORM upload fails with "Invalid or missing security token"
Bug Reports · 1 replies · 26 views
Learn: editing a role fails with "Invalid or missing security token"
Bug Reports · 1 replies · 19 views
Helpdesk: creating a queue fails with SQLSTATE[HY093] Invalid parameter number
Bug Reports · 1 replies · 19 views
Viewing a higher-tier user profile writes a false 'security.privilege_violation' audit + security-log entry
Bug Reports · 1 replies · 22 views
Course offer convert-to-learn and convert-to-moodle forms always fail CSRF (wrong field name AND wrong session key) — both admin actions unusable
Bug Reports · 1 replies · 26 views

Log in or register to reply to this thread.