Change password sometimes fails due to invalid form token

There seems to be a synchronization issue with the form token being invalidated before its final use when changing password. The mail function is not setup so when the change passes it throws when trying to send the confirmation e-mail.

System: v4.7.1, Windows, Maria DB

Setup: - Disable the mail function

Steps to reproduce:

  • /index.php?module=UsersManager&action=userSecurity
  • Change password
  • in ~50% of cases the change fails with:

Error in Matomo: Could not verify the security token on this form.