Invalid CSRF token


I can’t connect to my panel since I moved to production. So I deleted the account and restarted a panel access to create a new user… then I get this error message : Invalid CSRF token
After many readings on the forum I emptied the cache of my chrome browser, I also changed my browser, I emptied the sessions folder but nothing happened. I went to see my plugins and I didn’t find any particular problems.

My plugins :

  • editor
  • kirby3-cookie
  • kirby3-robots-txt
  • kirby3-seo
  • kirby3-xmlsitemap

About the features of my dedicated server :

  • php7.3-fpm
  • nginx latest version

thx :wink:

Could you please post the HTTP response from the Panel?

Here is the message sent when creating an account:
{"status": "error", "message": "Invalid CSRF token", "code":400, "key": "error.invalidArgument", "details":[] }.

I mean the HTTP status response from the browsers network tab, not the error message.

I don’t quite understand your question, so I’m sending you a screenshot.

Could you send me the URL to the project please, via DM if you don’t want to post it publicly

Ah, I only just noticed that your Panel comes up with the installation screen, so you haven’t created a user yet.

You can do one of two things:

  1. Upload the user account you created on localhost
  2. Allow installing the Panel on a remote host in your config:

I had created a user but the connection didn’t work, even after the manipulations mentioned in my message on the forum. So I deleted it to redo an user and be able to connect to the website again.
look my config.php in MP

Now I can hand over my user account and let you see :wink:

I have always the same problem…

I have to postpone this until later tonight, don’t have the time to look into it atm.

OK no worries. thx :wink:

Hm, when I check the request for the login page, I can see that there is no cookie set. I wonder if that’s due to wrong configuration of the cookie plugin or a problem on your server. Please test with a fresh Starterkit or try removing the plugin.

1 Like


Thx for help. I’am find the solution. It’s my fault… In my nfinx.conf i wrote these line:
fastcgi_hide_header Set-Cookie;

I think it would be cool to write a best practice of dos and don’ts to get on the panel :wink:

Thx @texnixe for your help

@texnixe, you can me explain how you have does for look at that there is not cookie sert ?