Invalid CSRF token reported by client


My client can’t log in to the panel and gets a ‘invalid CSRF token’.
It is only temporarily resolved when the client deletes their browser cookies. The problem soon reappears. It doesn’t seem to matter which browser either, tested on Chrome, Safari and Firefox.

This website has a lot of users, over 50, and so a lot of sessions are created. I thought the problem might be related to that, but it doesn’t seem that way. I initially requested long sessions through the config and session files piled up. I’ve removed the code for long session durations and I’ve also repeatedly manually cleared all session files. The client however still gets the invalid CSRF token.

Interestingly, it’s only one user who is reporting this issue thus far. Neither me nor any other users have come across this issue or have at least not reported the issue.

PHP version 8.0, Kirby
The website is live at
phpinfo: PHP 8.0.14 - phpinfo()

The website is hosted on I thought perhaps this issue is related to the redirect from HTTP to HTTPS, since the redirect is now set in the .htaccess file, as the hosting provider does not have a setting in its configuration to automatically redirect to HTTPS. I had other client websites on the same hosting provider and have never come across this issue though.


Does the user use any browser plugins that block cookies or whatever? What if that user uses a different machine?

The user told me he tried on different computers but the problem shows on both. Also no browser plugins installed or anything like that.

I get this, too, occasionally. My browser is automatically deleting cookies after closing it, so if I restart the browser and it loads the page with the panel from cache it won’t remember the session cookie. A page refresh usually solves this problem.