Update fails with an error message
From Joomla! Documentation
This pertains only to Joomla! version(s): 3.6.1
What is the cause?
3.6.1 introduced a CSRF token check to the update component as an extra level of security. 3.6.0 down to 2.5.4 (every version with the update component) will hit the issue with the CSRF token because those versions don't generate the needed code to pass the check. Future updates will work correctly
How to fix?
Updating from Joomla! 3.6.0
- Go back to your administration panel example.com/administrator
- Then go to Extensions → Manage → Database
- You should see a message that the dababase is out of date
- Click on the Fix button in the toolbar.
Updating from Joomla! UNDER 3.6.0
If you are running a version under 3.6.0:
- Update first to Joomla! 3.6.0 and NOT directly to Joomla! 3.6.1
- Update the com_joomlaupdate via the extension manager
- and then run your update from Joomla! 3.6.0 to Joomla! 3.6.1.
The new version of the com_joomlaupdate is available in the backend through the regular extension updater.
Please see the official announcement related to this issue HERE
Note: If your website is running with PHP 5.3, this error message may be displayed when trying to log in:
0 Failed to start the session: already started by PHP ($_SESSION is set).
Joomla! 3.6.2 will fix this issue. See Fix logging in in PHP 5.3.