This CSRF error in the panel login is driving me insane.
Is there a way to disable this “feature”?
I have: Restarted Computer, restarted browser, cleared all cookies, via Filezilla manually emptied session files from our server at: www/domain/site/sessions
Tried to use private window, log in with multiple browsers (Safari, Opera, Chrome) and two different computers, one mac and one windows machine.
Console in Opera shows: /api/auth/login:1
Failed to load resource: the server responded with a status of 400 ()
When exactly does this happen and what is your server environment?
I occasionally get an “invalid CSRF token” when trying to log in locally (after not logging out properly, but session just expired), but this is usually fixed with a hard reload.
Hello, thank you for getting in touch. It happened today, when i tried to login to our website backend on the server of our webhoster (webgo, not locally)
The weird part is, it is independent of machine or browser when doing this and I deleted the sessions. In the console I get this:
This area is for use by developers only. Scammers have been known to encourage people to copy/paste information here to hack accounts. Do not proceed if you are unsure.
top
Default levels
No Issues
login:1 Autofocus processing was blocked because a document already has a focused element.
index.min.js:7 Uncaught TypeError: Cannot read properties of null (reading ‘contains’) at Object.blur (index.min.js:7:391201) at vendor.min.js:11:21268 at Array.map () at Object.emit (vendor.min.js:11:21251) at Object.click (index.min.js:7:386171)
index.min.js:7 Uncaught TypeError: Cannot read properties of null (reading ‘contains’) at Object.blur (index.min.js:7:391201) at vendor.min.js:11:21268 at Array.map () at Object.emit (vendor.min.js:11:21251) at Object.click (index.min.js:7:386171)
Network Log Row Name: login/api/auth
This is the Set Cookie: kirby_session=3a49555a50e4518834b01382b2fb9f157b48e348%2B1741787718.adc987e66a3a2c58ab1e.93ee52e6318298230bbc475b0e62e848680e82e0f0a81359d82ebaf8b4bdf407; expires=Wed, 12 Mar 2025 13:55:18 GMT; Max-Age=7200; path=/; secure; HttpOnly; SameSite=Lax
What I noticed is that every time I reload the /panel/login page, the set-cookie value changes, while it should remain the same, I guess this is some nginx config issue.
How would I address this? I have not changed anything and now am effectively locked out of my website backend, I lost half a work day researching this. I urgently need to update the website contents, it will be very important and might cost me dearly if I cannot work on this. Is there a possibility to disable the CSRF token feature for the future after I resolve this problem? Tbh I dont even know what nginx is…
Can you please provide me with some information so I can ask our provider in an educated manner to resolve this? Am I telling them the nginx is giving out multiple session cookies resulting in csrf errors, when it should only be one? How can I future proof my backend access with this kind of problems? I am sorry to ask so many questions
My hosting provider explained, that due to a large backup file that has been created today, the created session files from kirby could be being blocked from being saved correctly, because the storage limit has been exceeded. I am pulling the backup now and free up the server. I will report back if this resolves the issue.
After pulling the files and clearing up the space it shows indeed the sessions files had been blocked from containing any data. upon closer inspection I could see the old session files had been created in the folder, but were 0bytes.
