Thread:Support/About MediaWiki:Anontalkpagetext/bcl/reply

MediaWiki includes multiple security mechanism to authenticate that actions are really executed by the user. So users need to login to get a token that is transfered in cookies when user executes actions. Browser send this session token automatically, even if JavaScript on other website initiates the action. To prevent those sites from doing that, all write actions need another action token, which is first requested in other request. While other sites can initiate JavaScript requests to any site, they can't read the results, do they cannot access this action specific token and thus cannot execute write actions without the user knowing.

Now, this error message appears when an action is executed, where this token (a string basically) does not match what the server has stored for the user. This often happens if the session has timed out (keeping some page open for too long), clearing the previously stored value.