Rest_cookie_invalid_nonce error

I have just created a new Bedrock websote. Its my first experience with Bedrock, so excuse me for lack of experience.
I got an issue with rest_cookie_invalid_nonce, that disable my wp-admin area of the site. I cant edit any post, upload any media, etc.

The error is the following:

    "code": "rest_cookie_invalid_nonce",
    "message": "Cookie check failed",
    "data": {
        "status": 403

It happen to many files in my admin area:

I have researched about it and found several post suggesting that it is related to bedrock.

Older posts related to the subject:

  1. Updating failed error on Bedrock
  2. Rest_cookie_invalid_nonce on MultiSite Instances
  3. WooCommerce REST API (401 / 403)

First two posts, have not been resolved. The third one was concluded with success. I have tried to implement its solution, but without any luck.

The solution: add this to application.php:

 * Use DOMAIN_CURRENT_SITE as the cookie domain. This ensures cookies and
 * nonces are using the correct domain for the corresponding site. Without
 * this, logins, REST requests, Gutenberg AJAX requests, and other actions
 * which require verification will not work.
Config::define('ADMIN_COOKIE_PATH', '/');
Config::define('COOKIE_DOMAIN', env('DOMAIN_CURRENT_SITE'));
Config::define('COOKIEPATH', '/');
Config::define('SITECOOKIEPATH', '/');

I must mention that my site sits behind GCP LoadBalancer. Usually i configure these four cookie settings, to be able to work with cookies on WP projects i run, that are located behind LB. Its the first time I encounter this problem that I have.

I also refreshed the Authentication Unique Keys and Salts, just in case that it might help, as well cleared the cache of my site, without success.

Any idea how can I resolve the rest_cookie_invalid_nonce error?
Maybe I missed out some configuration?

Really appreciating any help offered.
Thank you!

Hi @neoswf,

  • Are you running a Multisite or a regular single site?
  • Do the errors occur only in DEV or in other ENVs as well?

I’ve only encountered Cookie issues when running a Multisite…

If so then make sure that you are also copying all the Multisite setup-aspects from application.php.

Hi @evance, and thank you for your response.

  • No, i’m running a single website (behind loadbalancer).
    I always had to use this cookies config, due tho loadbalancer.
  • The error happens on production.

Man, so maybe i got a wrong config related to multisite?
Or maybe this issue is related to the fact that im behind loadbalance, and its suffers from same issues, a multisite having?

Either way, i applied the same modifications you have applied, and its not working for me.

If you’re running a single site then you don’t need that config part…

In fact it won’t work since it is Multisite-specific – DOMAIN_CURRENT_SITE will not be set in your .env

Config::define('COOKIE_DOMAIN', env('DOMAIN_CURRENT_SITE'));

See the Trellis Multisite docs for more info on where those settings are coming from.

I’d suggest to get rid of the config changes and start from scratch.

Maybe the load balancer is the issue – use the HTTP Toolkit to maybe get more insights into what is going on.

Sorry, that’s all I can offer…

I actually had to add by hand this variable DOMAIN_CURRENT_SITE to my env file, to be able to use the config this way. I thought that It might not hurt, since im gonna have several environments, so I just gave it a try.

I always use this config, since I log behind loadbalancer. Without it, i just cant log in.

Can u explain to me in a very few words how to use the HTTP Toolkit to debug the issue? Never used it before.

Thank you :pray:

Hi @neoswf,

the HTTP Toolkit has an excellent documentation and also a quick-start guide so please check there :wink:

Good luck with your project!

1 Like

Thank you evance.
I did not mean to ask to guide me regarding using of the tool. I worded myself wrong. My bad.
I meant to say- as far as I understand, this error is related to invalidation of token, the cookie is using. One of the possible problem source, is cache issues of the site, a thing i eliminated (as far as i can see it).

And as far as I understand, the bedrock .env config file, sets straight the domain of the cookie. So I guess that using the HTTP, i would be able to understand how the domain is configured up in the rest-cookies. Was that what you meant about?

Thank you for your direction and help!

I am not sure if inspecting the HTTP requests will yield anything of use for your specific case – it is just something I personally would do in order to better understand what steps / connections are involved.

Either you try it out or you don’t, that’s up to you :sunglasses:

Can’t offer more insights here, sorry…

1 Like

Sure thing. installing it now. Thank you!

Just to document my advances on the topic:

  1. Not related with loadbalancer - problem happens as well on localhost
  2. Not related with cookies configuration - deleted the config and problem still persists
  3. Not related with NGinx production specific configuration - problem happens as well on localhost

Ok. Have discovered the problem at the end.
On a vanila wordpress, behind LB, I had to define the domain cookies (as mentions above), and cause of http to https LB redirect, I had to set the siteurl and home, like this: // .
This made the rest cookie goes nuts!
No idea why in Bedrock I do not need to set all this things, but without them, the site works perfect and does not require adjustments!