see frontend_helper.php on line 392 there is the '403 - forbidden Invalid access code' thrown

Token is empty on endpage of survey and throws 403.
Problem is not the function but token is not in _SESSION at the time of loading the function.

Hello,
For information, I encounter the same issue on the version 6.15.6+250818
Kind regards

Yes, After 6.15.5+250724 it does not work anymore... I hoped 6.15.6+250820 adresses this issue. But no!

I had the same problem and did the following:
In the file /YOUR_DOCS_ROOT/limesurvey/application/helpers/SurveyRuntimeHelpers.php, starting at line 220

Replace this part:
if ($tokenValue && isset($_SESSION[$this->LEMsessid][“srid”])) {

            $oSurveyResponse = SurveyDynamic::model($this->iSurveyid)->findByAttributes([“id” => $_SESSION[$this->LEMsessid][“srid”]]);
            if ($oSurveyResponse->hasAttribute(“token”)) {
                $oSurveyResponse->token = $tokenValue;
            }
            if (isset($_SESSION[$this->LEMsessid][“filltoken”])) {
                unset($_SESSION[$this->LEMsessid][“filltoken”]);
            }
            if (isset($_SESSION[$this->LEMsessid][“token”])) {
                unset($_SESSION[$this->LEMsessid][“token”]);
            }

with

if (isset($_SESSION[$this->LEMsessid][“filltoken”]) && isset($_SESSION[$this->LEMsessid][“srid”])) {
$oSurveyResponse = SurveyDynamic::model($this->iSurveyid)->findByAttributes([“id” => $_SESSION[$this->LEMsessid][“srid”]]);

            $oSurveyResponse->token = $_SESSION[$this->LEMsessid][“filltoken”];
                            unset($_SESSION[$this->LEMsessid][“filltoken”]);

This is from the old version 6.15.5 and solves the problem, but it should be fixed accordingly in one of the next updates.

Tnx.
I hope this will be resolved soon...

I made a PR 04408 in github.. But it failed some unit tests... Hmmm... I give up! :-)

I can't fight with a bot.
The bot is rejecting my PR because the token is not removed ('possible' security concern), So if it will pass the bot, Tokenized surveys will not submit.. So I give up this fight!

That's strange, did you adjust the lines and does it work for you now?

@ishidden: I just removed lines 229-231 (the part where token is removed from object)
The (a) bot is tagging this as 'possible securiy concern'

@ishidden: Your code change and mine ar both working...

The solution (SurveyRuntimeHelpers.php, starting at line 220) from ishidden works for us. But a official solution ober comfort Update will be nice.

For us one thing is very clear... Token management is faulty in 6.15.7 and maybe 1 or 2 versions before that.
We went back to 6.15.1 and all works like a charm!
So maybe 6.15.4 of 6.15.5 will also work! I will check that out in the coming hours.

token management:
6.15.4 is OK
6.15.5 onward Fails

Have you verified that the token is available and that it does not appear as a completed questionnaire?

correction 6.15.4 is also at fault...
6.15.3 is OK

Fot us 6.15.3 is now frozen. No more updates until it is fixed.

@FabioSC token tables exists and a couple of oldtoken* also... activating a 'closed' survey should present a dialog where you can choose to import old tokens...
As of version 6.15.4 is is not happening anymore!

This form is not shown when activating a survey as of version 6.15.4
This is 6.15.3 (so it works as expected)

Schermafbeelding 2025-08-25 112534.png (60,956 bytes)   

Schermafbeelding 2025-08-25 112534.png (60,956 bytes)   

For what it is worth:
IMHO: https://github.com/LimeSurvey/LimeSurvey/pull/4300 is causing the issues

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=39036

Fixed in Release 6.15.8+250825

Just installed Release 6.15.8+250825
403 submit: fixed

But all the other token managementproblems still exsists. So version 16.5.3. is still the stable one!