Invalid CSRF token when logging into panel

When logging in I receive the error “Invalid CSRF token”.
I’ve checked other topics but none of the solutions there seem to apply to my project.

HTTP response

HTTP/1.1 400 Bad Request
Date: Fri, 02 Apr 2021 14:03:06 GMT
Server: Apache
Set-Cookie: kirby_session=151c640731a79bd35f6c9c7f5652f1ba885f5767%2B1617379387.a986e1bbdb290a6f1ec4.25e9fd89523ff7aab91f9638166043ffbb6c8009f64b65f9dcf564a9d29103f6; expires=Fri, 02-Apr-2021 16:03:07 GMT; Max-Age=7200; path=/; secure; HttpOnly; SameSite=Lax
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8 

Things I’ve tried:

  1. Clearing browser cookies
    Seems to have no impact.

  2. Disabling adblockers
    Seems to have no impact.

  3. Clearing the site/sessions folder
    The site/sessions folder keeps piling up with .sess files. If remove these, I can log in successfully. If I then log out and back in, I get the CSRF error again.
    Edit: Now it seems that even this does not work :man_shrugging:

  4. Changed .htaccess to force https
    The website works fine without setting RewriteBase / but to get the https redirect to work I had to enable this. I don’t know why.

RewriteBase /
RewriteCond %{HTTP_HOST} !^(.*).local$
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
  1. Checked plugins for line breaks on line 1
    Some people solved this issue by finding empty lines. I checked all my plugins and found no empty lines.

The project is hosted by the client’s parent company IT department. I’ve had server issues with them before on a K2 project but since moving to K3 an updating to PHP7 those issues have gone. I’m still looking into the slow load times but I think their server infrastructure is also partially to blame for that.

Does this only happen on the server or also locally?

You said you checked your plugins for empty lines, but what about the config file or any other files like controllers, templates etc.?

No it does not happen locally.

I checked every php file in my site folder and subfolder. Don’t see any issues.

I was receiving an error elsewhere that images couldn’t be resized to due limited disk space. It was pretty much full due to an old backup taking up half the storage space.

Although it seemed unrelated, I’ve cleared some space and it appears to have fixed the CSRF error too :crossed_fingers: