Login Redirect Loops


When you attempt to log in, the system redirects you back to the login page without an error.

This issue may also cause an Invalid csrf protection token error message.


This indicates an issue with PHP sessions on your server.

If your server is behind a proxy, load-balancer, or CDN, a misconfiguration could be causing the session problem. For help, see Trusted Proxies.


You can confirm this by checking Remember Me on the login page and then attempting to log in again. If this allows you to log in successfully, it confirms that there is a problem with PHP sessions.

Admin Area

To find PHP misconfiguration issues, go to Configuration () > System Health.

Session Test

If you cannot access the WHMCS Admin Area:

  1. Upload the test_sessions.php file to your server.
  2. Visit the file in your browser and note any errors or warnings.
  3. Refresh the page.
    • Every time you refresh the page, the number should increase (for example, from 1 to 2 and then from 2 to 3).
    • A message will also display to confirm that your server’s PHP file-based session storage location is writable.

The expected result from the test_sessions.php file in a correctly-configured cPanel server environment is:

Array (     [count] => 1 )

PHP session.save_path /var/cpanel/php/sessions/ea-php81 is writable

If the number stays at 1 on your server or a warning states that the PHP session path is not writable , there is a problem with the PHP sessions configuration.


If you find a PHP misconfiguration issue, work with your system administrator or hosting provider to adjust your PHP configuration. Common things to check for include:

  • The configured session tmp path not being writable.
  • The configured session tmp path being full.
For more information, see PHP Session Support.


Disable Session IP Checks

As a security measure, WHMCS evaluates a visitor’s IP address against the expected value.

To disable this temporarily:

  1. Go to the Security tab at Configuration () > System Settings > General Settings.
  2. Check Disable Session IP Check.
  3. Click Save Changes.

If you cannot access the WHMCS Admin Area to view this page, run the following query against the WHMCS database using a tool like phpMyAdmin:

UPDATE `tblconfiguration` SET `value` = 'on' WHERE `setting` = 'DisableSessionIPCheck';

Switch to Database Session Storage

WHMCS can store login session data in the MySQL® database instead of on the filesystem. Switching to database session storage can work around such limitations.

For more information, see Database Sessions.

Last modified: June 14, 2024