CubeCart will only accept certain actions such as posted forms once it has validated that the request is from the expected source. It does this by setting a security token on each page load which is generated by the server. Once an action is sent to the server it checks that the token has the expected value. It then trusts the data source and completes the requested action.
This is an important security feature to prevent "Cross-Site Request Forgery" which is an attack that forces the end user to execute unwanted actions.
You will get this message if;
- you have multiple browser windows or tabs open (with expired tokens).
- you use the browser back button (returning the token to an expired value).
- the session token is missing due to the amount form variables exceeding the maximum amount allowed by the server. Say for example PHP is set to allow a maximum input variables of 1000 but you have 1043 input fields on the page. The last 43 will be ignored by the server. For more info please see the PHP run time configuration value `max_input_vars`. More often than not the session token is last and as a result it is not found.
- somebody has tried to force you to perform an action without your consent.