# Rest_cookie_invalid_nonce error **URL:** https://discourse.roots.io/t/rest-cookie-invalid-nonce-error/26175 **Category:** bedrock **Tags:** bedrock **Created:** 2023-10-26T01:17:47Z **Posts:** 11 ## Post 1 by @neoswf — 2023-10-26T01:17:47Z I have just created a new Bedrock websote. Its my first experience with Bedrock, so excuse me for lack of experience. I got an issue with `rest_cookie_invalid_nonce`, that disable my wp-admin area of the site. I cant edit any post, upload any media, etc. The error is the following: ``` { "code": "rest_cookie_invalid_nonce", "message": "Cookie check failed", "data": { "status": 403 } } ``` It happen to many files in my admin area: ![Screenshot 2023-10-25 at 21.51.54](https://discourse.roots.io/uploads/default/original/2X/3/3cc8adb42c69d7c71e1c56670490999dbe9cbd10.png) I have researched about it and found several post suggesting that it is related to `bedrock`. Older posts related to the subject: 1. [Updating failed error on Bedrock](https://discourse.roots.io/t/updating-failed-error-on-bedrock-sage-wp-multisite-after-migrating-from-aws-to-kinsta/18047) 2. [Rest\_cookie\_invalid\_nonce on MultiSite Instances](https://discourse.roots.io/t/rest-cookie-invalid-nonce-on-multisite-instances/25252) 3. [WooCommerce REST API (401 / 403)](https://discourse.roots.io/t/woocommerce-rest-api-multisite-issues-401-403/21276) First two posts, have not been resolved. The third one was concluded with success. I have tried to implement its solution, but without any luck. The solution: add this to `application.php`: ``` /** * Use DOMAIN_CURRENT_SITE as the cookie domain. This ensures cookies and * nonces are using the correct domain for the corresponding site. Without * this, logins, REST requests, Gutenberg AJAX requests, and other actions * which require verification will not work. */ Config::define('ADMIN_COOKIE_PATH', '/'); Config::define('COOKIE_DOMAIN', env('DOMAIN_CURRENT_SITE')); Config::define('COOKIEPATH', '/'); Config::define('SITECOOKIEPATH', '/'); ``` I must mention that my site sits behind GCP LoadBalancer. Usually i configure these four cookie settings, to be able to work with cookies on WP projects i run, that are located behind LB. Its the first time I encounter this problem that I have. I also refreshed the Authentication Unique Keys and Salts, just in case that it might help, as well cleared the cache of my site, without success. * * * Any idea how can I resolve the `rest_cookie_invalid_nonce` error? Maybe I missed out some configuration? Really appreciating any help offered. Thank you! --- ## Post 2 by @evance — 2023-10-26T06:30:58Z Hi @neoswf, - Are you running a Multisite or a regular single site? - Do the errors occur only in DEV or in other ENVs as well? I’ve only encountered Cookie issues when running a Multisite… If so then make sure that you are also copying all the **Multisite setup** -aspects from `application.php`. --- ## Post 3 by @neoswf — 2023-10-26T12:27:16Z Hi @evance, and thank you for your response. - No, i’m running a single website (behind loadbalancer). I always had to use this cookies config, due tho loadbalancer. - The error happens on production. Man, so maybe i got a wrong config related to multisite? Or maybe this issue is related to the fact that im behind loadbalance, and its suffers from same issues, a multisite having? Either way, i applied the same modifications you have applied, and its not working for me. --- ## Post 4 by @evance — 2023-10-26T12:52:46Z If you’re running a single site then you don’t need that config part… In fact it won’t work since it is Multisite-specific – `DOMAIN_CURRENT_SITE` will not be set in your `.env` ``` Config::define('COOKIE_DOMAIN', env('DOMAIN_CURRENT_SITE')); ``` See the [Trellis Multisite docs](https://roots.io/trellis/docs/multisite/) for more info on where those settings are coming from. I’d suggest to get rid of the config changes and start from scratch. Maybe the load balancer is the issue – use the [HTTP Toolkit](https://httptoolkit.com/) to maybe get more insights into what is going on. Sorry, that’s all I can offer… --- ## Post 5 by @neoswf — 2023-10-26T13:18:38Z I actually had to add by hand this variable `DOMAIN_CURRENT_SITE ` to my env file, to be able to use the config this way. I thought that It might not hurt, since im gonna have several environments, so I just gave it a try. I always use this config, since I log behind loadbalancer. Without it, i just cant log in. Can u explain to me in a very few words how to use the HTTP Toolkit to debug the issue? Never used it before. Thank you :pray: --- ## Post 6 by @evance — 2023-10-26T13:21:09Z Hi @neoswf, the HTTP Toolkit has an excellent documentation and also a [quick-start guide](https://httptoolkit.com/docs/getting-started/) so please check there :wink: Good luck with your project! --- ## Post 7 by @neoswf — 2023-10-26T13:30:36Z Thank you evance. I did not mean to ask to guide me regarding using of the tool. I worded myself wrong. My bad. I meant to say- as far as I understand, this error is related to invalidation of token, the cookie is using. One of the possible problem source, is cache issues of the site, a thing i eliminated (as far as i can see it). And as far as I understand, the bedrock .env config file, sets straight the domain of the cookie. So I guess that using the HTTP, i would be able to understand how the domain is configured up in the rest-cookies. Was that what you meant about? Thank you for your direction and help! --- ## Post 8 by @evance — 2023-10-26T13:34:57Z I am not sure if inspecting the HTTP requests will yield anything of use for your specific case – it is just something I personally would do in order to better understand what steps / connections are involved. Either you try it out or you don’t, that’s up to you :sunglasses: Can’t offer more insights here, sorry… --- ## Post 9 by @neoswf — 2023-10-26T13:36:02Z Sure thing. installing it now. Thank you! --- ## Post 10 by @neoswf — 2023-10-28T15:08:57Z Just to document my advances on the topic: 1. Not related with loadbalancer - problem happens as well on localhost 2. Not related with cookies configuration - deleted the config and problem still persists 3. Not related with NGinx production specific configuration - problem happens as well on localhost --- ## Post 11 by @neoswf — 2023-11-09T22:56:03Z Ok. Have discovered the problem at the end. On a vanila wordpress, behind LB, I had to define the domain cookies (as mentions above), and cause of http to https LB redirect, I had to set the `siteurl` and `home`, like this: `//my.domain.com` . This made the rest cookie goes nuts! No idea why in Bedrock I do not need to set all this things, but without them, the site works perfect and does not require adjustments!