Can not log in to panel - Invalid CSRF token

Hello together,

I’ve got a client on a shared host (1&1) and managed to get the page working with RewriteBase /. The site is created on v3.0.0, PHP is 7.2.16.

Unfortunately, I can not log in to the panel. The request returns an error object:

{status: "error", exception: "Kirby\Exception\InvalidArgumentException", message: "Invalid CSRF token",…}
code: 400
details: []
exception: "Kirby\Exception\InvalidArgumentException"
file: "irby/config/api/routes/auth.php"
key: "0"
line: 31
message: "Invalid CSRF token"
status: "error"

(the missing ‘k’ at ‘file:’ is really there)

does anybody have an idea what to try or where to look?
Many thanks in advance!

Try and delete the session cookie in your browser.

Thanks texnixe! This did not help in my case… I tried from different devices/sessions. Do you have any more ideas?

When I try to var_dump($auth->csrf()); in the kirby/config/api/routes/auth.php (line 31) I can see that it is bool(0). When I comment the throw on line 31, after the login on the host I get “Not authenticated” and the login page refreshs. On my localhost it just forwards me logged in. So it must be something wrong with the session either way, right?

Could you please update to the latest release (3.1.0) and let me know if the issue persists?

It might also make sense to remove all session files from the site\sessions folder.

1 Like

Unfortunately, the issue persists after update, (I tried 3.1.0 and 3.1.1).

The site\sessions-folder contained over 1000 *.sess-files - removing them didn’t help yet. But it seems that on every page refresh another session/*.sess-file gets created (as oppose to local, where the session persists after refreshing the page).

Ah, that explains why the CSRF Token becomes invalidated, because it is only valid for the current session. Have you tried in different browsers?

Yes that makes sense, I’m wondering what’s causing the session problems - could it be a PHP setting? (phpinfo available if it helps).

Yep, I just tried all major browsers on browserstack without any success.

phpinfo() output (expecially regarding session related stuff) could be helpful to narrow it down, yes please.

Thanks for your efforts!
I uploaded the outputted HTML here:, maybe someone can see something in there.

That phpinfo() looks fine at first glance.

My guess is that the session cookie is not set properly (some servers modify or block headers, although I haven’t seen that problem at 1&1 so far). Could you please send me a forum direct message with the URL to the site that isn’t working so I can check the Panel HTTP response?

Thanks Lukas, I just sent you a direct message. I will check the basic session behaviour on that host in an isolated file later that week - that may bring a little light in the dark.

Thanks! It’s what I suspected.

Your server returns the following response for /panel/login:


It should look similar to this though:


As you can see, your server doesn’t send the Set-Cookie header, which is why the session is regenerated on every request (if the client doesn’t have the cookie, it can’t send it back with the next request).

Unfortunately, this is something that is very hard for us to debug as we don’t know the specifics of the 1&1 server setup. Please get in touch with their support team about this. I hope they can tell you more. :slight_smile:

1 Like

This will help us digging a little deeper! 1&1 wasn’t able to help us yet, but we’re interested in finding a solution and I will post the results once we know more about it or how to solve it. Thanks for checking and all the help so far

1 Like

Hey together,

we solved this issue thanks to the debugging of one of our team members.
The issue was caused in our version of the index.php of the kirbyTextRaw-plugin where we had a new line on line 1:

 * Kirby 3 plugin - kirbytextRaw
 * Parse Markdown-formatted text as kirbytext without enclosing <p> tags

This caused headers to be sent and the particular php.ini of the hoster didn’t like it.
this must be a classic. So beware, dear readers!

Thanks for all the support and this great piece of software!

1 Like

Thanks for the update. Those bugs are of course always the most nasty ones. I’m glad you were able to find it. :slight_smile:

Hi there!

I seem to have the same issue. The site works fine locally (MAMP), but the panel login does not work when deployed on my server (hosteurope, php 2.2.27). These are the headers sent in the login:

Any ideas? Thanks!

(also, I have the same issue with 5 sessions being created in site/sessions for each request)

Ha! Same issue indeed with the newline at the beginning of a file.

I was also having the same error, with invalid CSRF token and constantly being kicked out of panel login, but found out that the session cookie was properly received in the headers. Issue was Chrome was blocking the cookie from being set as I was not on HTTPS. The domain i was on had no auto redirect from http to https. After wasting many hours, working flawless now.